Bug 990130

Summary:	Incorrect information in "ipa help host"
Product:	Red Hat Enterprise Linux 7	Reporter:	Dmitri Pal <dpal>
Component:	ipa	Assignee:	Martin Kosek <mkosek>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Namita Soman <nsoman>
Severity:	unspecified	Docs Contact:
Priority:	medium
Version:	7.0	CC:	rcritten, spoore
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipa-3.3.0-0.2.beta2.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-06-13 13:02:32 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Dmitri Pal 2013-07-30 12:53:58 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3820

From ```ipa help host```:
{{{
A host can only be enrolled once. If a client has enrolled and needs to
be re-enrolled, the host entry must be removed and re-created. Note that
re-creating the host entry will result in all services for the host being
removed, and all SSL certificates associated with those services being
revoked.
}}}

This information is outdate. The [http://www.freeipa.org/page/V3/Forced_client_re-enrollment forced client re-enrollment] feature enables exactly that - a client can be re-enrolled without removing the host entry. The above paragraph needs to be updated with correct information with regard to client re-enrollment.

Comment 1 Martin Kosek 2013-08-06 10:32:25 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/3bb6d3830868a50066569b55158fbba1f36654fd

Comment 3 Scott Poore 2014-01-28 17:37:24 UTC

Verified.

Version ::
ipa-server-3.3.3-15.el7.x86_64

Test Results ::

[root@master ~]# PAGER="cat" man ipa-client-install 2>/dev/null|grep "Re-enrollment of the host"
   Re-enrollment of the host

[root@master ~]# ipa help host|grep "A host can only be enrolled once"
[root@master ~]# 

From Man page:

   Re-enrollment of the host
       Requirements:

       1. Host has not been un-enrolled (the ipa-client-install --uninstall  command  has  not  been
       run).
       2. The host entry has not been disabled via the ipa host-disable command.

       If this has been the case, host can be re-enrolled using the usual methods.

       There are two method of authenticating a re-enrollment:

       1.  You  can  use --force-join option with ipa-client-install command. This authenticates the
       re-enrollment using the admin's credetials provided via the -w/--password option.
       2. If providing the admin's password via the command line is not an option (e.g you  want  to
       create a script to re-enroll a host and keep the admin's password secure), you can use backed
       up keytab from the previous enrollment of this host to authenticate. See --keytab option.

       Consenquences of the re-enrollment on the host entry:

       1. A new host certificate is issued
       2. The old host certificate is revoked
       3. New SSH keys are generated
       4. ipaUniqueID is preserved

Comment 4 Ludek Smid 2014-06-13 13:02:32 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.