mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
Improve help entry for ipa host
Updates old information produced by the ipa help host command. Also adds a section to ipa-client-install manpage about client re-enrollment. https://fedorahosted.org/freeipa/ticket/3820
This commit is contained in:
parent
8122d74596
commit
3bb6d38308
@ -52,6 +52,31 @@ Other directory servers deployed in the network (e.g. Microsoft Active Directory
|
||||
|
||||
In order to avoid the aforementioned DNS autodiscovery issues, the client machine hostname should be in a domain with properly defined DNS SRV records pointing to IPA servers, either manually with a custom DNS server or with IPA DNS integrated solution. A second approach would be to avoid autodiscovery and configure the installer to use a fixed list of IPA server hostnames using the \-\-server option and with a \-\-fixed\-primary option disabling DNS SRV record autodiscovery in SSSD.
|
||||
|
||||
.SS "Re\-enrollment of the host"
|
||||
Requirements:
|
||||
|
||||
1. Host has not been un\-enrolled (the ipa\-client\-install \-\-uninstall command has not been run).
|
||||
.br
|
||||
2. The host entry has not been disabled via the ipa host\-disable command.
|
||||
|
||||
If this has been the case, host can be re\-enrolled using the usual methods.
|
||||
|
||||
There are two method of authenticating a re\-enrollment:
|
||||
|
||||
1. You can use \-\-force\-join option with ipa\-client\-install command. This authenticates the re\-enrollment using the admin's credetials provided via the \-w/\-\-password option.
|
||||
.br
|
||||
2. If providing the admin's password via the command line is not an option (e.g you want to create a script to re\-enroll a host and keep the admin's password secure), you can use backed up keytab from the previous enrollment of this host to authenticate. See \-\-keytab option.
|
||||
|
||||
Consenquences of the re\-enrollment on the host entry:
|
||||
|
||||
1. A new host certificate is issued
|
||||
.br
|
||||
2. The old host certificate is revoked
|
||||
.br
|
||||
3. New SSH keys are generated
|
||||
.br
|
||||
4. ipaUniqueID is preserved
|
||||
|
||||
.SH "OPTIONS"
|
||||
.SS "BASIC OPTIONS"
|
||||
.TP
|
||||
|
@ -66,11 +66,13 @@ There are three enrollment scenarios when enrolling a new client:
|
||||
Host Enrollment privilege.
|
||||
3. The host has been created with a one-time password.
|
||||
|
||||
A host can only be enrolled once. If a client has enrolled and needs to
|
||||
be re-enrolled, the host entry must be removed and re-created. Note that
|
||||
re-creating the host entry will result in all services for the host being
|
||||
removed, and all SSL certificates associated with those services being
|
||||
revoked.
|
||||
|
||||
RE-ENROLLMENT:
|
||||
|
||||
Host that has been enrolled at some point, and lost its configuration (e.g. VM
|
||||
destroyed) can be re-enrolled.
|
||||
|
||||
For more information, consult the manual pages for ipa-client-install.
|
||||
|
||||
A host can optionally store information such as where it is located,
|
||||
the OS that it runs, etc.
|
||||
|
Loading…
Reference in New Issue
Block a user