[Freeipa-users] Clean up DNS, Host, Cert and other records from IPA / IDM
Alexander Bokovoy
abokovoy at redhat.com
Mon Dec 14 10:21:56 UTC 2015
On Fri, 11 Dec 2015, Andrey Ptashnik wrote:
>Hello Team,
>
>We have many servers in our environment that are on a different stage
>of their lifecycle. All of them are added to IPA domain. There are
>cases when servers gets moved, sometimes crash, sometimes are being
>rebuild or decommissioned. In those cases we need to completely remove
>server identity from IPA including DNS, Host, Certificate and other
>associated records.
>What is the most proper way to completely remove client records in case
>if server needs to be rebuilt with the same host name down the road?
>(hardware failure happened, server crashed and needs to be rebuild – is
>a perfect example).
'ipa-client-install --uninstall' results in calling 'ipa-join --unenroll -h hostname'
which in turn calls 'ipa host-disable hostname'. The latter on the
IPA server side does following:
- disables the host entry
- disables any service associated with the host
- revokes certificates associated with the host
- removes keytab associated with the host
Disabling services involves revoking of certificates and removal of
keytabs associated with these services.
Of course, 'keytab removal' means only that the keys are removed from
LDAP entries, not that keytab files are removed.
Note that none of DNS entries are removed.
If you don't have hosts anymore, you can issue 'ipa host-disable hostname'
from any other host under credentials of a user that has enough
privileges to remove the host and associated services. 'admins' group
membership should be strong enough to achieve this goal.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list