11.6. Disabling and Re-enabling Service Entries
Active services can be accessed by other services, hosts, and users within the domain. There can be situations when it is necessary to remove a host or a service from activity. However, deleting a service or a host removes the entry and all the associated configuration, and it removes it permanently.
11.6.1. Disabling Service Entries
Disabling a service prevents domain users from access it without permanently removing it from the domain. This can be done by using the
service-disable
command.
For a service, specify the principal for the service. For example:
[jsmith@ipaserver ~]$ kinit admin $ ipa service-disable http/server.example.com
Important
Disabling a host entry not only disables that host. It disables every configured service on that host as well.
11.6.2. Re-enabling and Services
Disabling a service essentially kills its current, active keytabs. Removing the keytabs effectively removes the service from the IdM domain without otherwise touching its configuration entry.
To re-enable a service, simply use the
ipa-getkeytab
command. The -s
option sets which IdM server to request the keytab, -p
gives the principal name, and -k
gives the file to which to save the keytab.
For example, requesting a new HTTP keytab:
[root@ipaserver ~]# ipa-getkeytab -s ipaserver.example.com -p HTTP/server.example.com -k /etc/httpd/conf/krb5.keytab -e aes256-cts
If the
ipa-getkeytab
command is run on an active IdM client or server, then it can be run without any LDAP credentials (-D
and -w
). The IdM user uses Kerberos credentials to authenticate to the domain. To run the command directly on a disabled host, then supply LDAP credentials to authenticate to the IdM server. The credentials should correspond to the host or service which is being re-enabled.