10.6. Renaming Machines and Reconfiguring IdM Client Configuration

The hostname of a system is critical for the correct operation of Kerberos and SSL. Both of these security mechanisms rely on the hostname to ensure that communication is occurring between the specified hosts. Infrastructures which use virtual machines or clustered servers will commonly have hosts which are renamed because systems are copied, moved, or renamed.
Red Hat Enterprise Linux does not provide a simple rename command to facilitate the renaming of an IdM host. Renaming a host in an IdM domain involves deleting the entry in IdM, uninstalling the client software, changing the hostname, and re-enrolling using the new name. Additionally, part of renaming hosts requires regenerating service principals.
To reconfigure the client:
  1. Identify which services are running on the machine. These need to be re-created when the machine is re-enrolled.
    # ipa service-find server.example.com
    Each host has a default service which does not appear in the list of services. This service can be referred to as the "host service". The service principal for the host service is host/<hostname>, such as host/server.example.com. This principal can also be referred to as the host principal.
  2. Identify all host groups to which the machine belongs.
    [root@client ~]# kinit admin
    [root@client ~]# ipa hostgroup-find server.example.com
  3. Identify which of the services have certificates associated with them. This can be done using the ldapsearch command to check the entries in the IdM LDAP database directly:
    [root@client ~]# ldapsearch -x -b "cn=accounts,dc=example,dc=com" "(&(objectclass=ipaservice)(userCertificate=*))" krbPrincipalName -D "cn=directory manager" -w secret -h ipaserver.example.com -p 389
  4. For any service principals (in addition to the host principal), determine the location of the corresponding keytabs on server.example.com. The keytab location is different for each service, and IdM does not store this information.
    Each service on the client system has a Kerberos principal in the form service_name/hostname@REALM, such as ldap/server.example.com@EXAMPLE.COM.
  5. Unenroll the client machine from the IdM domain:
    [root@client ~]# ipa-client-install --uninstall
  6. For each identified keytab other than /etc/krb5.keytab, remove the old principals:
    [root@client ~]# ipa-rmkeytab -k /path/to/keytab -r EXAMPLE.COM
  7. On an IdM server, as an IdM administrator, remove the host entry. This removes all services and revokes all certificates issued for that host:
    [root@server ~]# kinit admin
    [root@server ~]# ipa host-del server.example.com
    At this point, the host is completely removed from IdM.
  8. Rename the machine.
  9. Re-enroll the system with IdM:
    [root@client ~]# ipa-client-install
    This generates a host principal for with the new hostname in /etc/krb5.keytab.
  10. On an IdM server, add a new keytab for every service:
    [root@server ~]# ipa service-add serviceName/new-hostname
  11. To generate certificates for services, use either certmonger or the IdM administration tools.
  12. Re-add the host to any applicable host groups.