Unenroll the client from the IPA server on uninstall.

Unenrollment means that the host keytab is disabled on the server making
it possible to re-install on the client. This host principal is how we
distinguish an enrolled vs an unenrolled client machine on the server.

I added a --unroll option to ipa-join that binds using the host credentials
and disables its own keytab.

I fixed a couple of other unrelated problems in ipa-join at the same time.

I also documented all the possible return values of ipa-getkeytab and
ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab
and it returns whatever value ipa-getkeytab returned on failure.

ticket 242

1 files changed, 8 insertions, 2 deletions

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 7e52b7516..bded567bc 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -173,7 +173,7 @@ def chkconfig(name, status):
 
     return
 
-def uninstall(options):
+def uninstall(options, env):
 
     if not fstore.has_files() and not options.force:
         print "IPA client is not configured on this system."
@@ -211,6 +211,12 @@ def uninstall(options):
     except:
         print "Failed to disable automatic startup of the certmonger daemon"
 
+    print "Unenrolling client from IPA server"
+    join_args = ["/usr/sbin/ipa-join", "--unenroll"]
+    (stdout, stderr, returncode) = run(join_args, raiseonerr=False, env=env)
+    if returncode != 0:
+        print "Unenrolling host failed: %s" % stderr
+
     print "Removing Kerberos service principals from /etc/krb5.keytab"
     try:
         parser = RawConfigParser()
@@ -498,7 +504,7 @@ def main():
     fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore')
 
     if options.uninstall:
-        return uninstall(options)
+        return uninstall(options, env)
 
     if fstore.has_files() and not options.force:
         print "IPA client is already configured on this system."