Add support for re-enrolling hosts using keytab

A host that has been recreated  and does not have its
host entry disabled or removed, can be re-enrolled using
a previously backed up keytab file.

A new option --keytab has been added to ipa-client-install. This
can be used to specify path to the keytab and can be used instead
of -p or -w options.

A new option -f has been added to ipa-join. It forces client to
join even if the host entry already exits. A new certificate,
ssh keys are generated, ipaUniqueID stays the same.

Design page: http://freeipa.org/page/V3/Client_install_using_keytab

https://fedorahosted.org/freeipa/ticket/3374

2 files changed, 6 insertions, 0 deletions

diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1
index 2990b6694..8a77a113a 100644
--- a/ipa-client/man/ipa-client-install.1
+++ b/ipa-client/man/ipa-client-install.1
@@ -76,6 +76,9 @@ Password for joining a machine to the IPA realm. Assumes bulk password unless pr
 \fB\-W\fR
 Prompt for the password for joining a machine to the IPA realm.
 .TP
+\fB\-k\fR, \fB\-\-keytab\fR
+Path to backed up host keytab from previous enrollment.
+.TP
 \fB\-\-mkhomedir\fR
 Configure PAM to create a users home directory if it does not exist.
 .TP
diff --git a/ipa-client/man/ipa-join.1 b/ipa-client/man/ipa-join.1
index bd33b16cc..5dd4004b3 100644
--- a/ipa-client/man/ipa-join.1
+++ b/ipa-client/man/ipa-join.1
@@ -64,6 +64,9 @@ The password to use if not using Kerberos to authenticate. Use a password of thi
 \fB\-b,\-\-basedn basedn\fR
 The basedn of the IPA server (of the form dc=example,dc=com). This is only needed when not using Kerberos to authenticate and anonymous binds are disallowed in the IPA LDAP server.
 .TP
+\fB\-f,\-\-force\fR
+Force enrolling the host even if host entry exists.
+.TP
 \fB\-u,\-\-unenroll\fR
 Unenroll this host from the IPA server. No keytab entry is removed in the process
 (see