There is currently no way to disable a host or service short of deleting it. Deletion has lots of other implications, there should be a way to disable a service and/or the host principal in a host entry.
master: 1e1985b
add service-disable command freeipa-479-service.patch
There are a couple of things to test here. Start by creating a new service principal:
$ ipa service-add test/ipa.example.com
Now try to delete its key (there shouldn't be one)
$ ipa service-disable test/ipa.example.com
Fetch a keytab for it
$ ipa-getkeytab -s ipa.example.com -p test/ipa.example.com -k /tmp/test.keytab
Verify that the principal key is there:
$ ldapsearch -x -D 'cn=directory manager' -W -b 'cn=services,cn=accounts,dc=example,dc=com' krbprincipalname=test/ipa.example.com@EXAMPLE.COM
Now disable the principal
You should get a success message
Now try to delete it again, you should get an error raised
Finally, run the ldapsearch again to confirm that the key is gone.
You can try the keytab if you want:
$ kinit -kt /tmp/test.keytab test/ipa.example.com
You will get a kerberos error.
disable host or service principals freeipa-483-disable.patch
The new patch replaces the old one, I just bumped the patch number.
This adds support for hosts as well and it also includes an indicator, has_keytab, when showing an entry. This is a boolean that shows our best guess whether an entry has a krbprincipalkey value. We can't be 100% sure since we can't read the value directly so it is infered based on whether there is an expiration date.
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.0 - 2010/07
Login to comment on this ticket.