Chapter 16. Renaming IdM client systems
The following sections describe how to change the host name of an Identity Management (IdM) client system.
Renaming a client is a manual procedure. Do not perform it unless changing the host name is absolutely required.
Renaming an IdM client involves:
- Preparing the host. For details, see Section 16.1, “Prerequisites”
- Uninstalling the IdM client from the host. For details, see Section 16.2, “Uninstalling an IdM client”
- Renaming the host. For details, see Section 16.4, “Renaming the host system”
- Installing the IdM client on the host with the new name. For details, see Section 16.5, “Re-installing an IdM client”
- Configuring the host after the IdM client installation. For details, see Section 16.6, “Re-adding services, re-generating certificates, and re-adding host groups”
Before uninstalling the current client, make note of certain settings for the client. You will apply this configuration after re-enrolling the machine with a new host name.
Identify which services are running on the machine:
ipa service-findcommand, and identify services with certificates in the output:
$ ipa service-find old-client-name.example.com
In addition, each host has a default host service which does not appear in the
ipa service-findoutput. The service principal for the host service, also called a host principal, is
For all service principals displayed by
ipa service-find old-client-name.example.com, determine the location of the corresponding keytabs on the
# find / -name "*.keytab"
Each service on the client system has a Kerberos principal in the form service_name/host_name@REALM, such as
Identify all host groups to which the machine belongs.
# ipa hostgroup-find old-client-name.example.com
16.2. Uninstalling an IdM client
Uninstalling a client removes the client from the Identity Management (IdM) domain, along with all of the specific IdM configuration of system services, such as System Security Services Daemon (SSSD). This restores the previous configuration of the client system.
[root@client ~]# ipa-client-install --uninstall
Optional: Check that you cannot obtain a Kerberos ticket-granting ticket (TGT) for an IdM user:
[root@client ~]# kinit admin kinit: Client 'admin@EXAMPLE.COM' not found in Kerberos database while getting initial credentials [root@client ~]#
If a Kerberos TGT ticket has been returned successfully, follow the additional uninstallation steps in Uninstalling an IdM client: additional steps after multiple past installations.
On the client, remove old Kerberos principals from each identified keytab other than
[root@client ~]# ipa-rmkeytab -k /path/to/keytab -r EXAMPLE.COM
On an IdM server, remove all DNS entries for the client host from IdM:
[root@server ~]# ipa dnsrecord-del Record name: old-client-name Zone name: idm.example.com No option to delete specific record provided. Delete all? Yes/No (default No): yes ------------------------ Deleted record "old-client-name"
On the IdM server, remove the client host entry from the IdM LDAP server. This removes all services and revokes all certificates issued for that host:
[root@server ~]# ipa host-del client.idm.example.comImportant
Removing the client host entry from the IdM LDAP server is crucial if you think you might re-enroll the client in the future, with a different IP address or a different hostname.
16.3. Uninstalling an IdM client: additional steps after multiple past installations
If you install and uninstall a host as an Identity Management (IdM) client multiple times, the uninstallation procedure might not restore the pre-IdM Kerberos configuration.
In this situation, you must manually remove the IdM Kerberos configuration. In extreme cases, you must reinstall the operating system.
You have used the
ipa-client-install --uninstallcommand to uninstall the IdM client configuration from the host. However, you can still obtain a Kerberos ticket-granting ticket (TGT) for an IdM user from the IdM server.
You have checked that the
/var/lib/ipa-client/sysrestoredirectory is empty and hence you cannot restore the prior-to-IdM-client configuration of the system using the files in the directory.
If the contents of the
/etc/krb5.conf.ipafile are the same as the contents of the
krb5.conffile prior to the installation of the IdM client, you can:
# rm /etc/krb5.conf
# mv /etc/krb5.conf.ipa /etc/krb5.conf
If the contents of the
/etc/krb5.conf.ipafile are not the same as the contents of the
krb5.conffile prior to the installation of the IdM client, you can at least restore the Kerberos configuration to the state directly after the installation of the operating system:
# yum reinstall krb5-libs
As a dependency, this command will also re-install the
krb5-workstationpackage and the original version of the
var/log/ipaclient-install.logfile if present.
Try to obtain IdM user credentials. This should fail:
[root@r8server ~]# kinit admin kinit: Client 'admin@EXAMPLE.COM' not found in Kerberos database while getting initial credentials [root@r8server ~]#
/etc/krb5.conf file is now restored to its factory state. As a result, you cannot obtain a Kerberos TGT for an IdM user on the host.
16.4. Renaming the host system
Rename the machine as required. For example:
# hostnamectl set-hostname new-client-name.example.com
You can now re-install the Identity Management (IdM) client to the IdM domain with the new host name.
16.5. Re-installing an IdM client
Install an client on your renamed host following the procedure described in Chapter 11, Installing an IdM client: Basic scenario.
16.6. Re-adding services, re-generating certificates, and re-adding host groups
On the Identity Management (IdM) server, add a new keytab for every service identified in Section 16.1, “Prerequisites”.
[root@server ~]# ipa service-add service_name/new-client-name
Generate certificates for services that had a certificate assigned in Section 16.1, “Prerequisites”. You can do this:
- Using the IdM administration tools
- Re-add the client to the host groups identified in Section 16.1, “Prerequisites”.