https://bugzilla.redhat.com/show_bug.cgi?id=681338
Please talk to Simo first to figure best course of action as it is not clear which key(s) in the keytab need to be removed.
What we do now in uninstall() is:
ipa-rmkeytab -k /etc/krb5.keytab -r <REALM>
It should zap anything in there, it isn't clear why this isn't happening. It shouldn't be hostname-specific.
My initial diagnosis was wrong. It isn't that the keytab isn't being cleared, we are not handling the --hostname properly.
We should be adding ipa_hostname=host to sssd.conf, using that name in the certs, etc.
Then when unenrolling use that hostname in the ipa-join --unenroll call.
attachment freeipa-rcrit-749-hostname.patch
To test do something like:
- ipa-client-install --hostname some_other_host.example.com - ipa-getcert list - id admin
If id admin works it means sssd is set up properly, you can confirm by looking at ipa_hostname in /etc/sssd/sssd.conf.
The certificate in ipa-getcert should be MONITORING.
Now on the IPA server look at the host entry for som_other_host.example.com and it should have Keytab: True
Now run: ipa-client-install --uninstall
The host entry on the server should have Keytab: False
Check the client:
- service certmonger start - ipa-getcert list (should return nothing)
master: 3735450
Metadata Update from @dpal: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.0.3 RC3 (bug fixing)
Login to comment on this ticket.