Chapter 14. Uninstalling an IdM client

As an administrator, you can remove an Identity Management (IdM) client from the environment.

14.1. Uninstalling an IdM client

Uninstalling a client removes the client from the Identity Management (IdM) domain, along with all of the specific IdM configuration of system services, such as System Security Services Daemon (SSSD). This restores the previous configuration of the client system.


  1. Enter the ipa-client-install --uninstall command:

    [root@client ~]# ipa-client-install --uninstall
  2. Remove the DNS entries for the client host manually from the server:

    [root@server ~]# ipa dnsrecord-del
    Record name: old-client-name
    Zone name:
    No option to delete specific record provided.
    Delete all? Yes/No (default No): yes
    Deleted record "old-client-name"
  3. For each identified keytab other than /etc/krb5.keytab, remove the old principals:

    [root@client ~]# ipa-rmkeytab -k /path/to/keytab -r EXAMPLE.COM
  4. On an IdM server, remove the client host entry from the IdM LDAP server. This removes all services and revokes all certificates issued for that host:

    [root@server ~]# ipa host-del

    Removing the client host entry from the IdM LDAP server is crucial if you think you might re-enroll the client in the future, with a different IP address or a different hostname.