12.4. Disabling and Re-enabling Host Entries
Active hosts can be accessed by other services, hosts, and users within the domain. There can be situations when it is necessary to remove a host from activity. However, deleting a host removes the entry and all the associated configuration, and it removes it permanently.
12.4.1. Disabling Host Entries
Disabling a host prevents domain users from access it without permanently removing it from the domain. This can be done by using the host-disable command.
[jsmith@ipaserver ~]$ kinit admin [jsmith@ipaserver ~]$ ipa host-disable server.example.com
Disabling a host entry not only disables that host. It disables every configured service on that host as well.
12.4.2. Re-enabling Hosts
This section describes how to re-enable a disabled IdM host.
Disabling a host removes its active keytabs, which removed the host from the IdM domain without otherwise touching its configuration entry.
To re-enable a host, use the ipa-getkeytab command, adding:
-soption to specify which IdM server to request the keytab from
-poption to specify the principal name
-koption to specify the file to which to save the keytab.
For example, to request a new host keytab from
client.example.com, and store the keytab in the
$ ipa-getkeytab -s server.example.com -p host/client.example.com -k /etc/krb5.keytab -D "cn=directory manager" -w password
You can also use the administrator’s credentials, specifying
-D "uid=admin,cn=users,cn=accounts,dc=example,dc=com". It is important that the credentials correspond to a user allowed to create the keytab for the host.
If you run the ipa-getkeytab command on an active IdM client or server, then you can run it without any LDAP credentials (
-w) if the user has a TGT obtained using, for example, kinit admin. To run the command directly on the disabled host, supply LDAP credentials to authenticate to the IdM server.