Unenroll the client from the IPA server on uninstall.

Unenrollment means that the host keytab is disabled on the server making
it possible to re-install on the client. This host principal is how we
distinguish an enrolled vs an unenrolled client machine on the server.

I added a --unroll option to ipa-join that binds using the host credentials
and disables its own keytab.

I fixed a couple of other unrelated problems in ipa-join at the same time.

I also documented all the possible return values of ipa-getkeytab and
ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab
and it returns whatever value ipa-getkeytab returned on failure.

ticket 242

1 files changed, 2 insertions, 1 deletions

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index ecdf98dd6..a18245fee 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -46,8 +46,9 @@ add: aci
 aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; aci "Hosts can manage service Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)
 
 # Allow hosts to update their own certificate in host/
+# krbLastPwdChange lets a host unenroll itself
 dn: cn=computers,cn=accounts,$SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr="userCertificate")(version 3.0; aci "Hosts can modify service userCertificate"; allow(write) userdn = "ldap:///self";)
+aci: (targetattr="userCertificate || krbLastPwdChange")(version 3.0; aci "Hosts can modify service userCertificate"; allow(write) userdn = "ldap:///self";)