Please talk to Simo first to figure best course of action as it is not clear which key(s) in the keytab need to be removed.

What we do now in uninstall() is:

ipa-rmkeytab -k /etc/krb5.keytab -r <REALM>

It should zap anything in there, it isn't clear why this isn't happening. It shouldn't be hostname-specific.

My initial diagnosis was wrong. It isn't that the keytab isn't being cleared, we are not handling the --hostname properly.

We should be adding ipa_hostname=host to sssd.conf, using that name in the certs, etc.

Then when unenrolling use that hostname in the ipa-join --unenroll call.

attachment
freeipa-rcrit-749-hostname.patch

To test do something like:

- ipa-client-install --hostname some_other_host.example.com
- ipa-getcert list
- id admin

If id admin works it means sssd is set up properly, you can confirm by looking at ipa_hostname in /etc/sssd/sssd.conf.

The certificate in ipa-getcert should be MONITORING.

Now on the IPA server look at the host entry for som_other_host.example.com and it should have Keytab: True

Now run: ipa-client-install --uninstall

The host entry on the server should have Keytab: False

Check the client:

- service certmonger start
- ipa-getcert list (should return nothing)

master: 3735450