How to uninstall an IPA client and reinstall it

Resolution

Uninstall an IPA client

1. Run the ipa-client-install --uninstall command:

[root@client ~]# ipa-client-install --uninstall

2. Check that you cannot obtain a Kerberos ticket-granting ticket (TGT).

[root@client ~]# kinit admin
kinit: Client 'admin@EXAMPLE.COM' not found in Kerberos database while getting initial credentials

3. On the client, remove old Kerberos principals from each identified keytab other than /etc/krb5.keytab:

[root@client ~]# ipa-rmkeytab -k /path/to/keytab -r EXAMPLE.COM

4. On an IdM server, remove all DNS entries for the client host from IdM:

[root@server ~]# ipa dnsrecord-del
Record name: old-client-name
Zone name: idm.example.com
No option to delete specific record provided.
Delete all? Yes/No (default No): yes
------------------------
Deleted record "old-client-name"

5. On the IdM server, remove the client host entry from the IdM LDAP server. This removes all services and revokes all certificates issued for that host:

[root@server ~]# ipa host-del client.idm.example.com

Reinstalling the IPA client

1. Make sure the required ports are open on the server side.

2. Run the ipa-client-install command.
   NOTE: To install the system with different values, run ipa-client-install and specify the required values by adding command-line options to ipa-client-install. See more details at the link.

# ipa-client-install --force

NOTE: If the installation fails with the warning message below, it may be due to an empty or incorrect file that needs to be manually removed from the client side.

"WARNING Using existing certificate '/etc/ipa/ca.crt'

a). Remove the old /etc/ipa/ca.crt file, and try to reinstall.

# rm /etc/ipa/ca.crt

3. When the installation is finished, test if you can obtain a Kerberos ticket-granting ticket (TGT).

[root@client ~]# kinit -V admin

Reference:
RHEL9

RHEL8

RHEL 7