Allow host re-enrollment using delegation

A new option --force-join has been added to ipa-client-install. It forces the host enrollment even if the host entry exists. Old certificate is revoked, new certificate and ssh key pair generated. See the relevant design for the re-enrollment part: http://freeipa.org/page/V3/Forced_client_re-enrollment https://fedorahosted.org/freeipa/ticket/3482
2025-02-25 18:55:28 -06:00 · 2013-03-18 11:06:22 +01:00
parent 322458b5b2
commit a7ccc198a7
2 changed files with 9 additions and 1 deletions
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -111,6 +111,9 @@ def parse_options():
                      help="The hostname of this machine (FQDN). If specified, the hostname will be set and "
                           "the system configuration will be updated to persist over reboot. "
                           "By default a nodename result from uname(2) is used.")
+    basic_group.add_option("", "--force-join", dest="force_join",
+                      action="store_true", default=False,
+                      help="Force client enrollment even if already enrolled")
    basic_group.add_option("--ntp-server", dest="ntp_server", help="ntp server to use")
    basic_group.add_option("-N", "--no-ntp", action="store_false",
                      help="do not configure ntp", default=True, dest="conf_ntp")
@@ -1989,6 +1992,8 @@ def install(options, env, fstore, statestore):
            if options.hostname:
                join_args.append("-h")
                join_args.append(options.hostname)
+            if options.force_join:
+                join_args.append("-f")
            if options.principal is not None:
                stdin = None
                principal = options.principal
--- a/ipa-client/man/ipa-client-install.1
+++ b/ipa-client/man/ipa-client-install.1
@@ -77,7 +77,7 @@ Password for joining a machine to the IPA realm. Assumes bulk password unless pr
 Prompt for the password for joining a machine to the IPA realm.
 .TP
 \fB\-k\fR, \fB\-\-keytab\fR
-Path to backed up host keytab from previous enrollment.
+Path to backed up host keytab from previous enrollment. Joins the host even if it is already enrolled.
 .TP
 \fB\-\-mkhomedir\fR
 Configure PAM to create a users home directory if it does not exist.
@@ -85,6 +85,9 @@ Configure PAM to create a users home directory if it does not exist.
 \fB\-\-hostname\fR
 The hostname of this machine (FQDN). If specified, the hostname will be set and the system configuration will be updated to persist over reboot. By default a nodename result from uname(2) is used.
 .TP
+\fB\-\-force\-join\fR
+Join the host even if it is already enrolled.
+.TP
 \fB\-\-ntp\-server\fR=\fINTP_SERVER\fR
 Configure ntpd to use this NTP server.
 .TP