From 3bb6d3830868a50066569b55158fbba1f36654fd Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Aug 06 2013 10:31:16 +0000 Subject: Improve help entry for ipa host Updates old information produced by the ipa help host command. Also adds a section to ipa-client-install manpage about client re-enrollment. https://fedorahosted.org/freeipa/ticket/3820 --- diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index d98318e..bb19041 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -52,6 +52,31 @@ Other directory servers deployed in the network (e.g. Microsoft Active Directory In order to avoid the aforementioned DNS autodiscovery issues, the client machine hostname should be in a domain with properly defined DNS SRV records pointing to IPA servers, either manually with a custom DNS server or with IPA DNS integrated solution. A second approach would be to avoid autodiscovery and configure the installer to use a fixed list of IPA server hostnames using the \-\-server option and with a \-\-fixed\-primary option disabling DNS SRV record autodiscovery in SSSD. +.SS "Re\-enrollment of the host" +Requirements: + +1. Host has not been un\-enrolled (the ipa\-client\-install \-\-uninstall command has not been run). +.br +2. The host entry has not been disabled via the ipa host\-disable command. + +If this has been the case, host can be re\-enrolled using the usual methods. + +There are two method of authenticating a re\-enrollment: + +1. You can use \-\-force\-join option with ipa\-client\-install command. This authenticates the re\-enrollment using the admin's credetials provided via the \-w/\-\-password option. +.br +2. If providing the admin's password via the command line is not an option (e.g you want to create a script to re\-enroll a host and keep the admin's password secure), you can use backed up keytab from the previous enrollment of this host to authenticate. See \-\-keytab option. + +Consenquences of the re\-enrollment on the host entry: + +1. A new host certificate is issued +.br +2. The old host certificate is revoked +.br +3. New SSH keys are generated +.br +4. ipaUniqueID is preserved + .SH "OPTIONS" .SS "BASIC OPTIONS" .TP diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 6be0694..7aa94aa 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -66,11 +66,13 @@ There are three enrollment scenarios when enrolling a new client: Host Enrollment privilege. 3. The host has been created with a one-time password. -A host can only be enrolled once. If a client has enrolled and needs to -be re-enrolled, the host entry must be removed and re-created. Note that -re-creating the host entry will result in all services for the host being -removed, and all SSL certificates associated with those services being -revoked. + +RE-ENROLLMENT: + +Host that has been enrolled at some point, and lost its configuration (e.g. VM +destroyed) can be re-enrolled. + +For more information, consult the manual pages for ipa-client-install. A host can optionally store information such as where it is located, the OS that it runs, etc.