to migrate some users from a Micrsoft Active Directory to the ipa 389 directory i tried to establish a trust between both directories. after installing ipa-server-trust-ad and running ipa-adtrust-install i was not able to just remove the packages.[[BR]][[BR]]because the winbind service could not be started and generated alot of coredumps, i had to remove the ipa-server-trust-ad package from the server.[[BR]][[BR]]how i successfully removed the package:[[BR]][[BR]]# remove EXTID (winbind) and ADTRUST (smb) services from directory[[BR]]ldapdelete -x -D 'cn=Directory Manager' -W "cn=EXTID,cn=<FQDN>,cn=masters,cn=ipa,cn=etc,dc=example,dc=org"[[BR]]ldapdelete -x -D 'cn=Directory Manager' -W "cn=ADTRUST,cn=<FQDN>,cn=masters,cn=ipa,cn=etc,dc=example,dc=org"[[BR]][[BR]]# stop the ipa[[BR]]/etc/init.d/ipa stop[[BR]][[BR]]# edit /etc/dirsrv/slapd-<domain>/dse.ldif and remove each complete block for the following entries:[[BR]]cn=IPA SIDGEN,cn=plugins,cn=config[[BR]]cn=ipa-sidgen-task,cn=plugins,cn=config[[BR]]cn=ipa_extdom_extop,cn=plugins,cn=config[[BR]]cn=ipa-sidgen-task,cn=tasks,cn=config[[BR]][[BR]]# uninstall the samba and adtrust packages[[BR]]yum remove ipa-server-trust-ad samba4-common samba4-winbind samba4 samba4-python[[BR]][[BR]]# start ipa again[[BR]]/etc/init.d/ipa start[[BR]]
Note that this procedure was tested on CentOS 6.4.
We need to make a bit more logic into it since removing trust support from one replica is OK, but removing it from all replicas means no trust could be used anymore and therefore all trusts should be removed as well as related principals, including cifs/ipa.master.fqdn. There is also DNS part (SRV records) in case IPA manages DNS.
In RHEL6 IPA does not support more than one IPA master for trusts but FreeIPA 3.2+ does, so this should be accounted for when solving this issue.
We should implement ipa-adtrust-install --uninstall instead of running the commands above. Removing samba packages should still be administrator's own manual action but we should print out the instruction to do so. However, directory server's plugins configuration DNs must be removed by the uninstall mode.
Moving to NEEDS_TRIAGE milestone - all new tickets needs to be triaged and scoped first, before placing to target milestone.
Starting to shape next release
After installer refactoring, this should be very simple.
Just a note, the following uninstall command will remove freeipa entirely.
yum remove ipa-server-trust-ad samba4-common samba4-winbind samba4 samba4-python [root@freeipa:~]# yum remove samba4-common Loaded plugins: rhnplugin This system is receiving updates from RHN Classic or Red Hat Satellite. Resolving Dependencies --> Running transaction check ---> Package samba-common.x86_64 2:4.1.17-1.fc21 will be erased --> Processing Dependency: samba-common = 2:4.1.17-1.fc21 for package: 2:libsmbclient-4.1.17-1.fc21.x86_64 --> Running transaction check ---> Package libsmbclient.x86_64 2:4.1.17-1.fc21 will be erased --> Processing Dependency: libsmbclient.so.0()(64bit) for package: sssd-ad-1.12.4-2.fc21.x86_64 --> Processing Dependency: libsmbclient.so.0(SMBCLIENT_0.1.0)(64bit) for package: sssd-ad-1.12.4-2.fc21.x86_64 --> Running transaction check ---> Package sssd-ad.x86_64 0:1.12.4-2.fc21 will be erased --> Processing Dependency: sssd-ad = 1.12.4-2.fc21 for package: sssd-1.12.4-2.fc21.x86_64 --> Running transaction check ---> Package sssd.x86_64 0:1.12.4-2.fc21 will be erased --> Processing Dependency: sssd >= 1.12.3 for package: freeipa-client-4.1.4-1.fc21.x86_64 --> Running transaction check ---> Package freeipa-client.x86_64 0:4.1.4-1.fc21 will be erased --> Processing Dependency: freeipa-client = 4.1.4-1.fc21 for package: freeipa-admintools-4.1.4-1.fc21.x86_64 --> Processing Dependency: freeipa-client = 4.1.4-1.fc21 for package: freeipa-server-4.1.4-1.fc21.x86_64 --> Processing Dependency: freeipa-client = 4.1.4-1.fc21 for package: freeipa-tests-4.1.4-1.fc21.x86_64 --> Running transaction check ---> Package freeipa-admintools.x86_64 0:4.1.4-1.fc21 will be erased ---> Package freeipa-server.x86_64 0:4.1.4-1.fc21 will be erased ---> Package freeipa-tests.x86_64 0:4.1.4-1.fc21 will be erased --> Finished Dependency Resolution Dependencies Resolved ====================================================================================================================================================================================== Package Arch Version Repository Size ====================================================================================================================================================================================== Removing: samba-common x86_64 2:4.1.17-1.fc21 @fedora-21-x86_64-updates 1.7 M Removing for dependencies: freeipa-admintools x86_64 4.1.4-1.fc21 @fedora-21-x86_64-updates 45 k freeipa-client x86_64 4.1.4-1.fc21 @fedora-21-x86_64-updates 441 k freeipa-server x86_64 4.1.4-1.fc21 @fedora-21-x86_64-updates 4.3 M freeipa-tests x86_64 4.1.4-1.fc21 @fedora-21-x86_64-updates 4.2 M libsmbclient x86_64 2:4.1.17-1.fc21 @fedora-21-x86_64-updates 162 k sssd x86_64 1.12.4-2.fc21 @fedora-21-x86_64-updates 34 k sssd-ad x86_64 1.12.4-2.fc21 @fedora-21-x86_64-updates 449 k Transaction Summary ====================================================================================================================================================================================== Remove 1 Package (+7 Dependent packages) Installed size: 11 M Is this ok [y/N]: n
yum remove freeipa-server-trust-ad samba4-winbind samba4 samba4-python ... works
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1211597
This ticket is not critical for 4.2 GA and can be done in follow-up stabilization release - postponing.
Closing as wontfix since there is no demand for this functionality and the implementation is actually pretty complex due to difficulties with the backup/restore of original samba config.
Possible use case: https://bugzilla.redhat.com/show_bug.cgi?id=1211597#c2
Metadata Update from @thyphus: - Issue assigned to mbabinsk - Issue set to the milestone: FreeIPA 4.2.1
Issue linked to bug 1211597
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2128549 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1211597)
Issue linked to bug 2128549
Login to comment on this ticket.