#3374 [RFE] Allow client to be reenrolled using an existing keytab
Closed: Fixed None Opened 9 years ago by dpal.

People rebuild IPA client systems all the time and need to easily re-enroll clients after they rebuilt them especially if they are virtual machines. This calls for a new provisioning method using a keytab.


  1. Machine has been initially provisioned using an OTP method
  2. Machine is de-provisioned
  3. Machine needs to be rebuilt with the same name

Currently OTP method does not work for re-enrolment because it requires two asynchronous operations: one to get a new OTP from IPA and another to call the install with the new OTP.
Using other provisioning schemes we support (admin based ones) means sticking admin password into the kickstart files - not a good security practice.

The proposal is to allow backing up a keytab and then using keytab to acquire the ticket and then installing the client.

1. System has already been enrolled
2. Host entry exists
3. Keytab was backed up
4. New authentication method/parameter is added to ipa-client-install

Proposed sequence:
1. Keytab is restored in a predefined place
2. ipa-client-install is called with new argumet --keytab=<path to keytab>
3. Client install does kinit using keytab and then continues the enrolment re-provisioning new keytab, certs and ssh keys. Restored keytab is destroyed or overwritten.

Note: The system can be de-provisioned with or without calling ipa-client-install --uninstall so the contents of the host entry might be different. The logic should work regardless of how the client was de-provisioned. Effectively running the ipa-client-install with --keytab option should reinit/repair the client configuration if the keytab is correct regardless of the current state of the client.

For more details about the discussion that lead to the creation of this RFE see mail thread: https://www.redhat.com/archives/freeipa-users/2013-January/msg00091.html

From my investigation I would conclude that we cannot support client install using backed-up keytab when the host has been unenrolled (e.g. after running ipa-client-install --uninstall). When unenrolling, we disable the host entry in LDAP and therefore effectively disable the Kerberos key, SSL certificate and all services of a host.

We should only support reenrollment for clients that have not been unenrolled, and therefore still have valid Kerberos key.

Move all uncompleted tickets to next month bucket.

Metadata Update from @dpal:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 3.2 - 2013/03

5 years ago

Login to comment on this ticket.