Unenroll the client from the IPA server on uninstall.

Unenrollment means that the host keytab is disabled on the server making it possible to re-install on the client. This host principal is how we distinguish an enrolled vs an unenrolled client machine on the server. I added a --unroll option to ipa-join that binds using the host credentials and disables its own keytab. I fixed a couple of other unrelated problems in ipa-join at the same time. I also documented all the possible return values of ipa-getkeytab and ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab and it returns whatever value ipa-getkeytab returned on failure. ticket 242
2025-02-25 18:55:28 -06:00 · 2010-09-17 21:37:32 -04:00
parent 74e5d8c2af
commit 6de0834fca
6 changed files with 358 additions and 74 deletions
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -46,8 +46,9 @@ add: aci
 aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; aci "Hosts can manage service Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)

 # Allow hosts to update their own certificate in host/
+# krbLastPwdChange lets a host unenroll itself
 dn: cn=computers,cn=accounts,$SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr="userCertificate")(version 3.0; aci "Hosts can modify service userCertificate"; allow(write) userdn = "ldap:///self";)
+aci: (targetattr="userCertificate || krbLastPwdChange")(version 3.0; aci "Hosts can modify service userCertificate"; allow(write) userdn = "ldap:///self";)