[Freeipa-users] how to revert ipa-adtrust-install...

[Alexander Bokovoy]

On Thu, 15 Sep 2016, Rob Crittenden wrote:
>Alexander Bokovoy wrote:
>>On Thu, 15 Sep 2016, lejeczek wrote:
>>>is there any way to tell IPA not to control smb.service?
>>Do not run ipa-adtrust-install on the IPA master.
>>
>
>What do you mean control? If you don't want ipactl to manage the smb 
>service, look for an entry in 
>cn=masters,cn=ipa,cn=etc,dc=example,dc=com and delete it if you find 
>it.
At some point we decided to not do 'ipa-adtrust-install --uninstall'
because restoring previous Samba configuration is not easy. Aside from
smb.conf, there are multiple databases in /var/lib/samba which will have
no meaning if smb.conf is restored to pre-'ipa-adtrust-install' set up.
Removing (or recovering from backup) those databases wouldn't necessary
create a working Samba configuration as it was in
pre-'ipa-adtrust-install' stage. Which is especially doubtful to restore
to with the case when all users are actually in IPA LDAP and there is no
Samba passdb module that could readily consume IPA LDAP schema, other
than ipasam module that IPA provides. At this point the question would
be why to revert to non-IPA configuration if it could only work with
IPA LDAP when using ipasam module which is configured by
ipa-adtrust-install.

So we decided to not perform 'ipa-adtrust-install --uninstall' as it
makes no sense. If somebode is willing to uninstall
'ipa-adtrust-install', then need to realize what they are doing as it
would need to remove certain configuration in IPA LDAP because there are
actual 389-ds plugins that depend on the configuration and work jointly
with ipasam module in Samba to provide common setup. If 'ipasam' is
missing, those modules also become useless.
-- 
/ Alexander Bokovoy