Chapter 15. Renaming IdM client systems

The following sections describe how to change the host name of an Identity Management (IdM) client system.

Warning

Renaming a client is a manual procedure. Do not perform it unless changing the host name is absolutely required.

Renaming an IdM client involves:

  1. Preparing the host. For details, see Section 15.1, “Prerequisites”
  2. Uninstalling the IdM client from the host. For details, see Section 15.2, “Uninstalling an IdM client”
  3. Renaming the host. For details, see Section 15.3, “Renaming the host system”
  4. Installing the IdM client on the host with the new name. For details, see Section 15.4, “Re-installing an IdM client”
  5. Configuring the host after the IdM client installation. For details, see Section 15.5, “Re-adding services, re-generating certificates, and re-adding host groups”

15.1. Prerequisites

Before uninstalling the current client, make note of certain settings for the client. You will apply this configuration after re-enrolling the machine with a new host name.

  • Identify which services are running on the machine:

    • Use the ipa service-find command, and identify services with certificates in the output:

      $ ipa service-find old-client-name.example.com
    • In addition, each host has a default host service which does not appear in the ipa service-find output. The service principal for the host service, also called a host principal, is host/old-client-name.example.com.
  • For all service principals displayed by ipa service-find old-client-name.example.com, determine the location of the corresponding keytabs on the old-client-name.example.com system:

    # find / -name "*.keytab"

    Each service on the client system has a Kerberos principal in the form service_name/host_name@REALM, such as ldap/old-client-name.example.com@EXAMPLE.COM.

  • Identify all host groups to which the machine belongs.

    # ipa hostgroup-find old-client-name.example.com

15.2. Uninstalling an IdM client

Uninstalling a client removes the client from the Identity Management (IdM) domain, along with all of the specific IdM configuration of system services, such as System Security Services Daemon (SSSD). This restores the previous configuration of the client system.

Procedure

  1. Enter the ipa-client-install --uninstall command:

    [root@client ~]# ipa-client-install --uninstall
  2. Remove the DNS entries for the client host manually from the server:

    [root@server ~]# ipa dnsrecord-del
    Record name: old-client-name
    Zone name: idm.example.com
    No option to delete specific record provided.
    Delete all? Yes/No (default No): yes
    ------------------------
    Deleted record "old-client-name"
  3. For each identified keytab other than /etc/krb5.keytab, remove the old principals:

    [root@client ~]# ipa-rmkeytab -k /path/to/keytab -r EXAMPLE.COM
  4. On an IdM server, remove the client host entry from the IdM LDAP server. This removes all services and revokes all certificates issued for that host:

    [root@server ~]# ipa host-del client.idm.example.com
    Important

    Removing the client host entry from the IdM LDAP server is crucial if you think you might re-enroll the client in the future, with a different IP address or a different hostname.

15.3. Renaming the host system

Rename the machine as required. For example:

# hostnamectl set-hostname new-client-name.example.com

You can now re-install the Identity Management (IdM) client to the IdM domain with the new host name.

15.4. Re-installing an IdM client

Install an client on your renamed host following the procedure described in Chapter 10, Installing an IdM client: Basic scenario.

15.5. Re-adding services, re-generating certificates, and re-adding host groups

  1. On the Identity Management (IdM) server, add a new keytab for every service identified in Section 15.1, “Prerequisites”.

    [root@server ~]# ipa service-add service_name/new-client-name
  2. Generate certificates for services that had a certificate assigned in Section 15.1, “Prerequisites”. You can do this:

    • Using the IdM administration tools
    • Using the certmonger utility
  3. Re-add the client to the host groups identified in Section 15.1, “Prerequisites”.