Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): ipa-server-2.0.0-25.el6.x86_64 ipa-client-2.0.0-25.el6.x86_64 How reproducible: Always Steps to Reproduce: On client: 1. Install ipa-client # klist -ekt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (aes256-cts-hmac-sha1-96) 1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (aes128-cts-hmac-sha1-96) 1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (des3-cbc-sha1) 1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (arcfour-hmac) 2. # ipa-join -u Unenrollment successful. 3. # ipa-join Keytab successfully retrieved and stored in: /etc/krb5.keytab Certificate subject base is: O=LAB.ENG.PNQ.REDHAT.COM 4. # klist -ekt /etc/krb5.keytab (Observe the KVNO) Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (aes256-cts-hmac-sha1-96) 1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (aes128-cts-hmac-sha1-96) 1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (des3-cbc-sha1) 1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (arcfour-hmac) 1 06/09/11 06:00:42 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (aes256-cts-hmac-sha1-96) 1 06/09/11 06:00:42 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (aes128-cts-hmac-sha1-96) 1 06/09/11 06:00:42 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (des3-cbc-sha1) 1 06/09/11 06:00:42 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (arcfour-hmac) 5. # ipa-join -u Error obtaining initial credentials: Decrypt integrity check failed. Actual results: 1. IPA client fails to unenroll the second time. 2. The keytab is appended with the same KVNO for the host principal. 3. SSSD auth fails since it is unable to bind using this keytab (Thu Jun 9 06:40:57 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_get_tgt_recv] (6): Child responded: 14 [Decrypt integrity check failed], expired on [0] (Thu Jun 9 06:40:57 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_kinit_done] (4): Could not get TGT: 14 [Bad address] (Thu Jun 9 06:40:57 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [fo_set_port_status] (4): Marking port 0 of server 'bumblebee.lab.eng.pnq.redhat.com' as 'not working' (Thu Jun 9 06:40:57 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_handle_release] (8): Trace: sh[0x16c1030], connected[1], ops[(nil)], ldap[0x16c1710], destructor_lock[0], release_memory[0] Expected results: - Should remove the keytab when unenrolled. OR - Should check if the host principal already exists in the keytab and do a ipa-rmkeytab the host principal and then re-add. Additional info:
This is not a valid test. ipa-join does not claim to remove keytab entries (in fact ipa-rmkeytab does). ipa-client-install should be used to unenroll a client, not ipa-join -u.
Then it doesn't make any sense to me of having this confusing option (-u) for ipa-join. # ipa-join --help Usage: ipa-join [OPTION...] -d, --debug Print the raw XML-RPC output in GSSAPI mode -q, --quiet Quiet mode. Only errors are displayed. -u, --unenroll Unenroll this host from IPA server -h, --hostname=hostname Hostname of this server -s, --server=hostname IPA Server to use -k, --keytab=filename Specifies where to store keytab information. -w, --bindpw=password LDAP password (if not using Kerberos) I don't see this option in 5.7 client: [root@drifter ~]# ipa-join --help Usage: ipa-join [OPTION...] -d, --debug Print the raw XML-RPC output -q, --quiet Print as little as possible -h, --hostname=Host Name Use this hostname instead of the node name -s, --server=IPA Server Name IPA Server to use -k, --keytab=Keytab File Name File were to store the keytab information -w, --bindpw=password to use if not using kerberos LDAP password Help options: -?, --help Show this help message --usage Display brief usage message [root@drifter ~]# rpm -qf `which ipa-join` ipa-client-2.0-10.el5_6.1
The functionality is correct. IMO it is not a bug. Yes it is a bit confusing but AFAIR we already talked about it did not find a way to make it less confusing. ipa-client-install --uninstall should be used to uninstall the client. ipa-join -u is a utility function called in this process. If you want to do things manually you need to be aware that ipa-join -u is just a part of the process and does not do everything. May be we should have a paragraph about this in the manual.
Shall we turn this into a documentation bug? And the man pages, as we already discussed could use some work.
Reopening as a doc bug.
I added a section on uninstalling clients: http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/96.2/html/Enterprise_Identity_Management_Guide/uninstalling-clients.html