summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTomas Babej <tbabej@redhat.com>2013-08-02 17:06:29 +0200
committerMartin Kosek <mkosek@redhat.com>2013-08-06 12:31:16 +0200
commit3bb6d3830868a50066569b55158fbba1f36654fd (patch)
tree1c49be66724bcbffe829c1411f6d49b13507e9d4
parent8122d74596457530ce794916bafb1c7fcdb56ada (diff)
downloadfreeipa-3bb6d3830868a50066569b55158fbba1f36654fd.tar.gz
freeipa-3bb6d3830868a50066569b55158fbba1f36654fd.tar.xz
freeipa-3bb6d3830868a50066569b55158fbba1f36654fd.zip
Improve help entry for ipa host
Updates old information produced by the ipa help host command. Also adds a section to ipa-client-install manpage about client re-enrollment. https://fedorahosted.org/freeipa/ticket/3820
-rw-r--r--ipa-client/man/ipa-client-install.125
-rw-r--r--ipalib/plugins/host.py12
2 files changed, 32 insertions, 5 deletions
diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1
index d98318eed..bb19041b1 100644
--- a/ipa-client/man/ipa-client-install.1
+++ b/ipa-client/man/ipa-client-install.1
@@ -52,6 +52,31 @@ Other directory servers deployed in the network (e.g. Microsoft Active Directory
In order to avoid the aforementioned DNS autodiscovery issues, the client machine hostname should be in a domain with properly defined DNS SRV records pointing to IPA servers, either manually with a custom DNS server or with IPA DNS integrated solution. A second approach would be to avoid autodiscovery and configure the installer to use a fixed list of IPA server hostnames using the \-\-server option and with a \-\-fixed\-primary option disabling DNS SRV record autodiscovery in SSSD.
+.SS "Re\-enrollment of the host"
+Requirements:
+
+1. Host has not been un\-enrolled (the ipa\-client\-install \-\-uninstall command has not been run).
+.br
+2. The host entry has not been disabled via the ipa host\-disable command.
+
+If this has been the case, host can be re\-enrolled using the usual methods.
+
+There are two method of authenticating a re\-enrollment:
+
+1. You can use \-\-force\-join option with ipa\-client\-install command. This authenticates the re\-enrollment using the admin's credetials provided via the \-w/\-\-password option.
+.br
+2. If providing the admin's password via the command line is not an option (e.g you want to create a script to re\-enroll a host and keep the admin's password secure), you can use backed up keytab from the previous enrollment of this host to authenticate. See \-\-keytab option.
+
+Consenquences of the re\-enrollment on the host entry:
+
+1. A new host certificate is issued
+.br
+2. The old host certificate is revoked
+.br
+3. New SSH keys are generated
+.br
+4. ipaUniqueID is preserved
+
.SH "OPTIONS"
.SS "BASIC OPTIONS"
.TP
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 6be069425..7aa94aa95 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -66,11 +66,13 @@ There are three enrollment scenarios when enrolling a new client:
Host Enrollment privilege.
3. The host has been created with a one-time password.
-A host can only be enrolled once. If a client has enrolled and needs to
-be re-enrolled, the host entry must be removed and re-created. Note that
-re-creating the host entry will result in all services for the host being
-removed, and all SSL certificates associated with those services being
-revoked.
+
+RE-ENROLLMENT:
+
+Host that has been enrolled at some point, and lost its configuration (e.g. VM
+destroyed) can be re-enrolled.
+
+For more information, consult the manual pages for ipa-client-install.
A host can optionally store information such as where it is located,
the OS that it runs, etc.