[Freeipa-users] Clean up DNS, Host, Cert and other records from IPA / IDM

Andrey Ptashnik APtashnik at cccis.com
Mon Dec 14 21:01:14 UTC 2015 

Alexander,

Thank you for your feedback, this is what I expected to do - 'ipa-client-install —uninstall' and expected and easy quick fix for my request. It seem to work in environment where server portion is on CentOS/RHEL 7.1 and clients as well on 7.1 with IPA 4.1

However when clients are little older like CentOS/RHEL 6.5-6.6 behavior in our case was different, we had to manually delete records with "ipa host-del” command like Martin Kosek mentioned.

So I wanted to reiterate with Red Hat team if 'ipa-client-install —uninstall' is still the proper way to clean up records completely. Additionally if I can expect the same behavior on client versions lower than CentOS/RHEL 7.1 + IPA 4.1

Regards,

Andrey Ptashnik 







On 12/14/15, 4:21 AM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:

>On Fri, 11 Dec 2015, Andrey Ptashnik wrote:
>>Hello Team,
>>
>>We have many servers in our environment that are on a different stage
>>of their lifecycle. All of them are added to IPA domain. There are
>>cases when servers gets moved, sometimes crash, sometimes are being
>>rebuild or decommissioned. In those cases we need to completely remove
>>server identity from IPA including DNS, Host, Certificate and other
>>associated records.
>>What is the most proper way to completely remove client records in case
>>if server needs to be rebuilt with the same host name down the road?
>>(hardware failure happened, server crashed and needs to be rebuild – is
>>a perfect example).
>'ipa-client-install --uninstall' results in calling 'ipa-join --unenroll -h hostname'
>which in turn calls 'ipa host-disable hostname'. The latter on the
>IPA server side does following:
> - disables the host entry
> - disables any service associated with the host
> - revokes certificates associated with the host
> - removes keytab associated with the host
>
>Disabling services involves revoking of certificates and removal of
>keytabs associated with these services.
>
>Of course, 'keytab removal' means only that the keys are removed from
>LDAP entries, not that keytab files are removed.
>
>Note that none of DNS entries are removed.
>
>If you don't have hosts anymore, you can issue 'ipa host-disable hostname'
>from any other host under credentials of a user that has enough
>privileges to remove the host and associated services. 'admins' group
>membership should be strong enough to achieve this goal.
>
>-- 
>/ Alexander Bokovoy

More information about the Freeipa-users mailing list