Improve help entry for ipa host

Updates old information produced by the ipa help host command.
Also adds a section to ipa-client-install manpage about client
re-enrollment.

https://fedorahosted.org/freeipa/ticket/3820
This commit is contained in:
Tomas Babej 2013-08-02 17:06:29 +02:00 committed by Martin Kosek
parent 8122d74596
commit 3bb6d38308
2 changed files with 32 additions and 5 deletions

View File

@ -52,6 +52,31 @@ Other directory servers deployed in the network (e.g. Microsoft Active Directory
In order to avoid the aforementioned DNS autodiscovery issues, the client machine hostname should be in a domain with properly defined DNS SRV records pointing to IPA servers, either manually with a custom DNS server or with IPA DNS integrated solution. A second approach would be to avoid autodiscovery and configure the installer to use a fixed list of IPA server hostnames using the \-\-server option and with a \-\-fixed\-primary option disabling DNS SRV record autodiscovery in SSSD.
.SS "Re\-enrollment of the host"
Requirements:
1. Host has not been un\-enrolled (the ipa\-client\-install \-\-uninstall command has not been run).
.br
2. The host entry has not been disabled via the ipa host\-disable command.
If this has been the case, host can be re\-enrolled using the usual methods.
There are two method of authenticating a re\-enrollment:
1. You can use \-\-force\-join option with ipa\-client\-install command. This authenticates the re\-enrollment using the admin's credetials provided via the \-w/\-\-password option.
.br
2. If providing the admin's password via the command line is not an option (e.g you want to create a script to re\-enroll a host and keep the admin's password secure), you can use backed up keytab from the previous enrollment of this host to authenticate. See \-\-keytab option.
Consenquences of the re\-enrollment on the host entry:
1. A new host certificate is issued
.br
2. The old host certificate is revoked
.br
3. New SSH keys are generated
.br
4. ipaUniqueID is preserved
.SH "OPTIONS"
.SS "BASIC OPTIONS"
.TP

View File

@ -66,11 +66,13 @@ There are three enrollment scenarios when enrolling a new client:
Host Enrollment privilege.
3. The host has been created with a one-time password.
A host can only be enrolled once. If a client has enrolled and needs to
be re-enrolled, the host entry must be removed and re-created. Note that
re-creating the host entry will result in all services for the host being
removed, and all SSL certificates associated with those services being
revoked.
RE-ENROLLMENT:
Host that has been enrolled at some point, and lost its configuration (e.g. VM
destroyed) can be re-enrolled.
For more information, consult the manual pages for ipa-client-install.
A host can optionally store information such as where it is located,
the OS that it runs, etc.