Chapter 15. Uninstalling an IdM client
As an administrator, you can remove an Identity Management (IdM) client from the environment.
15.1. Uninstalling an IdM client
Uninstalling a client removes the client from the Identity Management (IdM) domain, along with all of the specific IdM configuration of system services, such as System Security Services Daemon (SSSD). This restores the previous configuration of the client system.
[root@client ~]# ipa-client-install --uninstall
Optional: Check that you cannot obtain a Kerberos ticket-granting ticket (TGT) for an IdM user:
[root@client ~]# kinit admin kinit: Client 'admin@EXAMPLE.COM' not found in Kerberos database while getting initial credentials [root@client ~]#
If a Kerberos TGT ticket has been returned successfully, follow the additional uninstallation steps in Uninstalling an IdM client: additional steps after multiple past installations.
On the client, remove old Kerberos principals from each identified keytab other than
[root@client ~]# ipa-rmkeytab -k /path/to/keytab -r EXAMPLE.COM
On an IdM server, remove all DNS entries for the client host from IdM:
[root@server ~]# ipa dnsrecord-del Record name: old-client-name Zone name: idm.example.com No option to delete specific record provided. Delete all? Yes/No (default No): yes ------------------------ Deleted record "old-client-name"
On the IdM server, remove the client host entry from the IdM LDAP server. This removes all services and revokes all certificates issued for that host:
[root@server ~]# ipa host-del client.idm.example.comImportant
Removing the client host entry from the IdM LDAP server is crucial if you think you might re-enroll the client in the future, with a different IP address or a different hostname.
15.2. Uninstalling an IdM client: additional steps after multiple past installations
If you install and uninstall a host as an Identity Management (IdM) client multiple times, the uninstallation procedure might not restore the pre-IdM Kerberos configuration.
In this situation, you must manually remove the IdM Kerberos configuration. In extreme cases, you must reinstall the operating system.
You have used the
ipa-client-install --uninstallcommand to uninstall the IdM client configuration from the host. However, you can still obtain a Kerberos ticket-granting ticket (TGT) for an IdM user from the IdM server.
You have checked that the
/var/lib/ipa-client/sysrestoredirectory is empty and hence you cannot restore the prior-to-IdM-client configuration of the system using the files in the directory.
If the contents of the
/etc/krb5.conf.ipafile are the same as the contents of the
krb5.conffile prior to the installation of the IdM client, you can:
# rm /etc/krb5.conf
# mv /etc/krb5.conf.ipa /etc/krb5.conf
If the contents of the
/etc/krb5.conf.ipafile are not the same as the contents of the
krb5.conffile prior to the installation of the IdM client, you can at least restore the Kerberos configuration to the state directly after the installation of the operating system:
# yum reinstall krb5-libs
As a dependency, this command will also re-install the
krb5-workstationpackage and the original version of the
var/log/ipaclient-install.logfile if present.
Try to obtain IdM user credentials. This should fail:
[root@r8server ~]# kinit admin kinit: Client 'admin@EXAMPLE.COM' not found in Kerberos database while getting initial credentials [root@r8server ~]#
/etc/krb5.conf file is now restored to its factory state. As a result, you cannot obtain a Kerberos TGT for an IdM user on the host.