#3993 Provide a way to uninstall trust-ad package
Closed: Invalid None Opened 9 years ago by thyphus.

to migrate some users from a Micrsoft Active Directory to the ipa 389 directory i tried to establish a trust between both directories. after installing ipa-server-trust-ad and running ipa-adtrust-install i was not able to just remove the packages.[[BR]][[BR]]because the winbind service could not be started and generated alot of coredumps, i had to remove the ipa-server-trust-ad package from the server.[[BR]][[BR]]how i successfully removed the package:[[BR]][[BR]]# remove EXTID (winbind) and ADTRUST (smb) services from directory[[BR]]ldapdelete -x -D 'cn=Directory Manager' -W "cn=EXTID,cn=<FQDN>,cn=masters,cn=ipa,cn=etc,dc=example,dc=org"[[BR]]ldapdelete -x -D 'cn=Directory Manager' -W "cn=ADTRUST,cn=<FQDN>,cn=masters,cn=ipa,cn=etc,dc=example,dc=org"[[BR]][[BR]]# stop the ipa[[BR]]/etc/init.d/ipa stop[[BR]][[BR]]# edit /etc/dirsrv/slapd-<domain>/dse.ldif and remove each complete block for the following entries:[[BR]]cn=IPA SIDGEN,cn=plugins,cn=config[[BR]]cn=ipa-sidgen-task,cn=plugins,cn=config[[BR]]cn=ipa_extdom_extop,cn=plugins,cn=config[[BR]]cn=ipa-sidgen-task,cn=tasks,cn=config[[BR]][[BR]]# uninstall the samba and adtrust packages[[BR]]yum remove ipa-server-trust-ad samba4-common samba4-winbind samba4 samba4-python[[BR]][[BR]]# start ipa again[[BR]]/etc/init.d/ipa start[[BR]]

Note that this procedure was tested on CentOS 6.4.

We need to make a bit more logic into it since removing trust support from one replica is OK, but removing it from all replicas means no trust could be used anymore and therefore all trusts should be removed as well as related principals, including cifs/ipa.master.fqdn. There is also DNS part (SRV records) in case IPA manages DNS.

In RHEL6 IPA does not support more than one IPA master for trusts but FreeIPA 3.2+ does, so this should be accounted for when solving this issue.

We should implement ipa-adtrust-install --uninstall instead of running the commands above. Removing samba packages should still be administrator's own manual action but we should print out the instruction to do so. However, directory server's plugins configuration DNs must be removed by the uninstall mode.

Moving to NEEDS_TRIAGE milestone - all new tickets needs to be triaged and scoped first, before placing to target milestone.

Starting to shape next release

After installer refactoring, this should be very simple.

Just a note, the following uninstall command will remove freeipa entirely.

uninstall the samba and adtrust packages

yum remove ipa-server-trust-ad samba4-common samba4-winbind samba4 samba4-python

[root@freeipa:~]# yum remove samba4-common
Loaded plugins: rhnplugin
This system is receiving updates from RHN Classic or Red Hat Satellite.
Resolving Dependencies
--> Running transaction check
---> Package samba-common.x86_64 2:4.1.17-1.fc21 will be erased
--> Processing Dependency: samba-common = 2:4.1.17-1.fc21 for package: 2:libsmbclient-4.1.17-1.fc21.x86_64
--> Running transaction check
---> Package libsmbclient.x86_64 2:4.1.17-1.fc21 will be erased
--> Processing Dependency: libsmbclient.so.0()(64bit) for package: sssd-ad-1.12.4-2.fc21.x86_64
--> Processing Dependency: libsmbclient.so.0(SMBCLIENT_0.1.0)(64bit) for package: sssd-ad-1.12.4-2.fc21.x86_64
--> Running transaction check
---> Package sssd-ad.x86_64 0:1.12.4-2.fc21 will be erased
--> Processing Dependency: sssd-ad = 1.12.4-2.fc21 for package: sssd-1.12.4-2.fc21.x86_64
--> Running transaction check
---> Package sssd.x86_64 0:1.12.4-2.fc21 will be erased
--> Processing Dependency: sssd >= 1.12.3 for package: freeipa-client-4.1.4-1.fc21.x86_64
--> Running transaction check
---> Package freeipa-client.x86_64 0:4.1.4-1.fc21 will be erased
--> Processing Dependency: freeipa-client = 4.1.4-1.fc21 for package: freeipa-admintools-4.1.4-1.fc21.x86_64
--> Processing Dependency: freeipa-client = 4.1.4-1.fc21 for package: freeipa-server-4.1.4-1.fc21.x86_64
--> Processing Dependency: freeipa-client = 4.1.4-1.fc21 for package: freeipa-tests-4.1.4-1.fc21.x86_64
--> Running transaction check
---> Package freeipa-admintools.x86_64 0:4.1.4-1.fc21 will be erased
---> Package freeipa-server.x86_64 0:4.1.4-1.fc21 will be erased
---> Package freeipa-tests.x86_64 0:4.1.4-1.fc21 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

 Package                                      Arch                             Version                                      Repository                                           Size
 samba-common                                 x86_64                           2:4.1.17-1.fc21                              @fedora-21-x86_64-updates                           1.7 M
Removing for dependencies:
 freeipa-admintools                           x86_64                           4.1.4-1.fc21                                 @fedora-21-x86_64-updates                            45 k
 freeipa-client                               x86_64                           4.1.4-1.fc21                                 @fedora-21-x86_64-updates                           441 k
 freeipa-server                               x86_64                           4.1.4-1.fc21                                 @fedora-21-x86_64-updates                           4.3 M
 freeipa-tests                                x86_64                           4.1.4-1.fc21                                 @fedora-21-x86_64-updates                           4.2 M
 libsmbclient                                 x86_64                           2:4.1.17-1.fc21                              @fedora-21-x86_64-updates                           162 k
 sssd                                         x86_64                           1.12.4-2.fc21                                @fedora-21-x86_64-updates                            34 k
 sssd-ad                                      x86_64                           1.12.4-2.fc21                                @fedora-21-x86_64-updates                           449 k

Transaction Summary
Remove  1 Package (+7 Dependent packages)

Installed size: 11 M
Is this ok [y/N]: n

yum remove freeipa-server-trust-ad samba4-winbind samba4 samba4-python ... works

This ticket is not critical for 4.2 GA and can be done in follow-up stabilization release - postponing.

Closing as wontfix since there is no demand for this functionality and the implementation is actually pretty complex due to difficulties with the backup/restore of original samba config.

Metadata Update from @thyphus:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.2.1

6 years ago
a year ago

Login to comment on this ticket.