From 6de0834fca74b89990e4acc82753544614a1a129 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 17 Sep 2010 21:37:32 -0400 Subject: Unenroll the client from the IPA server on uninstall. Unenrollment means that the host keytab is disabled on the server making it possible to re-install on the client. This host principal is how we distinguish an enrolled vs an unenrolled client machine on the server. I added a --unroll option to ipa-join that binds using the host credentials and disables its own keytab. I fixed a couple of other unrelated problems in ipa-join at the same time. I also documented all the possible return values of ipa-getkeytab and ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab and it returns whatever value ipa-getkeytab returned on failure. ticket 242 --- ipa-client/ipa-install/ipa-client-install | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'ipa-client/ipa-install/ipa-client-install') diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 7e52b7516..bded567bc 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -173,7 +173,7 @@ def chkconfig(name, status): return -def uninstall(options): +def uninstall(options, env): if not fstore.has_files() and not options.force: print "IPA client is not configured on this system." @@ -211,6 +211,12 @@ def uninstall(options): except: print "Failed to disable automatic startup of the certmonger daemon" + print "Unenrolling client from IPA server" + join_args = ["/usr/sbin/ipa-join", "--unenroll"] + (stdout, stderr, returncode) = run(join_args, raiseonerr=False, env=env) + if returncode != 0: + print "Unenrolling host failed: %s" % stderr + print "Removing Kerberos service principals from /etc/krb5.keytab" try: parser = RawConfigParser() @@ -498,7 +504,7 @@ def main(): fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore') if options.uninstall: - return uninstall(options) + return uninstall(options, env) if fstore.has_files() and not options.force: print "IPA client is already configured on this system." -- cgit