Chapter 15. Uninstalling an IdM client

As an administrator, you can remove an Identity Management (IdM) client from the environment.

15.1. Uninstalling an IdM client

Uninstalling a client removes the client from the Identity Management (IdM) domain, along with all of the specific IdM configuration of system services, such as System Security Services Daemon (SSSD). This restores the previous configuration of the client system.

Procedure

  1. Enter the ipa-client-install --uninstall command:

    [root@client ~]# ipa-client-install --uninstall
  2. Optional: Check that you cannot obtain a Kerberos ticket-granting ticket (TGT) for an IdM user:

    [root@client ~]# kinit admin
    kinit: Client 'admin@EXAMPLE.COM' not found in Kerberos database while getting initial credentials
    [root@client ~]#

    If a Kerberos TGT ticket has been returned successfully, follow the additional uninstallation steps in Uninstalling an IdM client: additional steps after multiple past installations.

  3. On the client, remove old Kerberos principals from each identified keytab other than /etc/krb5.keytab:

    [root@client ~]# ipa-rmkeytab -k /path/to/keytab -r EXAMPLE.COM
  4. On an IdM server, remove all DNS entries for the client host from IdM:

    [root@server ~]# ipa dnsrecord-del
    Record name: old-client-name
    Zone name: idm.example.com
    No option to delete specific record provided.
    Delete all? Yes/No (default No): yes
    ------------------------
    Deleted record "old-client-name"
  5. On the IdM server, remove the client host entry from the IdM LDAP server. This removes all services and revokes all certificates issued for that host:

    [root@server ~]# ipa host-del client.idm.example.com
    Important

    Removing the client host entry from the IdM LDAP server is crucial if you think you might re-enroll the client in the future, with a different IP address or a different hostname.

15.2. Uninstalling an IdM client: additional steps after multiple past installations

If you install and uninstall a host as an Identity Management (IdM) client multiple times, the uninstallation procedure might not restore the pre-IdM Kerberos configuration.

In this situation, you must manually remove the IdM Kerberos configuration. In extreme cases, you must reinstall the operating system.

Prerequisites

  • You have used the ipa-client-install --uninstall command to uninstall the IdM client configuration from the host. However, you can still obtain a Kerberos ticket-granting ticket (TGT) for an IdM user from the IdM server.
  • You have checked that the /var/lib/ipa-client/sysrestore directory is empty and hence you cannot restore the prior-to-IdM-client configuration of the system using the files in the directory.

Procedure

  1. Check the /etc/krb5.conf.ipa file:

    • If the contents of the /etc/krb5.conf.ipa file are the same as the contents of the krb5.conf file prior to the installation of the IdM client, you can:

      1. Remove the /etc/krb5.conf file:

        # rm /etc/krb5.conf
      2. Rename the /etc/krb5.conf.ipa file into /etc/krb5.conf:

        # mv /etc/krb5.conf.ipa /etc/krb5.conf
    • If the contents of the /etc/krb5.conf.ipa file are not the same as the contents of the krb5.conf file prior to the installation of the IdM client, you can at least restore the Kerberos configuration to the state directly after the installation of the operating system:
    1. Re-install the krb5-libs package:

      # yum reinstall krb5-libs

      As a dependency, this command will also re-install the krb5-workstation package and the original version of the /etc/krb5.conf file.

  2. Remove the var/log/ipaclient-install.log file if present.

Verification steps

  • Try to obtain IdM user credentials. This should fail:

    [root@r8server ~]# kinit admin
    kinit: Client 'admin@EXAMPLE.COM' not found in Kerberos database while getting initial credentials
    [root@r8server ~]#

The /etc/krb5.conf file is now restored to its factory state. As a result, you cannot obtain a Kerberos TGT for an IdM user on the host.