diff options
-rw-r--r-- | ipa-client/man/ipa-client-install.1 | 25 | ||||
-rw-r--r-- | ipalib/plugins/host.py | 12 |
2 files changed, 32 insertions, 5 deletions
diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index d98318eed..bb19041b1 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -52,6 +52,31 @@ Other directory servers deployed in the network (e.g. Microsoft Active Directory In order to avoid the aforementioned DNS autodiscovery issues, the client machine hostname should be in a domain with properly defined DNS SRV records pointing to IPA servers, either manually with a custom DNS server or with IPA DNS integrated solution. A second approach would be to avoid autodiscovery and configure the installer to use a fixed list of IPA server hostnames using the \-\-server option and with a \-\-fixed\-primary option disabling DNS SRV record autodiscovery in SSSD. +.SS "Re\-enrollment of the host" +Requirements: + +1. Host has not been un\-enrolled (the ipa\-client\-install \-\-uninstall command has not been run). +.br +2. The host entry has not been disabled via the ipa host\-disable command. + +If this has been the case, host can be re\-enrolled using the usual methods. + +There are two method of authenticating a re\-enrollment: + +1. You can use \-\-force\-join option with ipa\-client\-install command. This authenticates the re\-enrollment using the admin's credetials provided via the \-w/\-\-password option. +.br +2. If providing the admin's password via the command line is not an option (e.g you want to create a script to re\-enroll a host and keep the admin's password secure), you can use backed up keytab from the previous enrollment of this host to authenticate. See \-\-keytab option. + +Consenquences of the re\-enrollment on the host entry: + +1. A new host certificate is issued +.br +2. The old host certificate is revoked +.br +3. New SSH keys are generated +.br +4. ipaUniqueID is preserved + .SH "OPTIONS" .SS "BASIC OPTIONS" .TP diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 6be069425..7aa94aa95 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -66,11 +66,13 @@ There are three enrollment scenarios when enrolling a new client: Host Enrollment privilege. 3. The host has been created with a one-time password. -A host can only be enrolled once. If a client has enrolled and needs to -be re-enrolled, the host entry must be removed and re-created. Note that -re-creating the host entry will result in all services for the host being -removed, and all SSL certificates associated with those services being -revoked. + +RE-ENROLLMENT: + +Host that has been enrolled at some point, and lost its configuration (e.g. VM +destroyed) can be re-enrolled. + +For more information, consult the manual pages for ipa-client-install. A host can optionally store information such as where it is located, the OS that it runs, etc. |