3.8. Re-enrolling a Client into the IdM Domain
If a client virtual machine has been destroyed and you still have its keytab, you can re-enroll the client:
- Interactively, using administrator credentials. See Section 3.8.1, “Re-enrolling a Client Interactively Using the Administrator Account”.
- Non-interactively, using a previously backed-up keytab file. See Section 3.8.2, “Re-enrolling a Client Non-interactively Using the Client Keytab”.
Note
You can only re-enroll clients whose domain entry is still active. If you uninstalled a client (using ipa-client-install --uninstall) or disabled its host entry (using ipa host-disable), you cannot re-enroll it.
During re-enrollment, IdM performs the following:
- Revokes the original host certificate
- Generates a new host certificate
- Creates new SSH keys
- Generates a new keytab
3.8.1. Re-enrolling a Client Interactively Using the Administrator Account
- Re-create the client machine with the same host name.
- Run the ipa-client-install --force-join command on the client machine:
# ipa-client-install --force-join
- The script prompts for a user whose identity will be used to enroll the client. By default, this is the
admin
user:User authorized to enroll computers:
admin
Password for admin@EXAMPLE.COM
3.8.2. Re-enrolling a Client Non-interactively Using the Client Keytab
Re-enrollment using the client keytab is appropriate for automated installation or in other situations when using the administrator password is not feasible.
- Back up the original client's keytab file, for example in the
/tmp
or/root
directory. - Re-create the client machine with the same host name.
- Re-enroll the client, and specify the keytab location using the
--keytab
option:# ipa-client-install --keytab /tmp/krb5.keytab
NoteThe keytab specified in the--keytab
option is only used when authenticating to initiate the enrollment. During the re-enrollment, IdM generates a new keytab for the client.