Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 19. Renaming IdM client systems

You can change the host name of an RHEL Identity Management (IdM) client system.

Warning

Renaming a client is a manual procedure. Do not perform it unless changing the host name is absolutely required.

Renaming an RHEL Identity Management client involves:

  1. Preparing the host. For details, see Preparing an IdM client for its renaming.
  2. Uninstalling the IdM client from the host. For details, see Uninstalling an Identity Management client.
  3. Renaming the host. For details, see Renaming the host system.
  4. Installing the IdM client on the host with the new name. For details, see Installing an Identity Management client in Installing RHEL Identity Management.
  5. Configuring the host after the IdM client installation. For details, see Re-adding services, re-generating certificates, and re-adding host groups.

19.1. Preparing an IdM client for its renaming

Before uninstalling the current client, make note of certain settings for the client. You will apply this configuration after re-enrolling the machine with a new host name.

  • Identify which services are running on the machine:

    • Use the ipa service-find command, and identify services with certificates in the output: 

      $ ipa service-find old-client-name.example.com
      Copy to Clipboard
    • In addition, each host has a default host service which does not appear in the ipa service-find output. The service principal for the host service, also called a host principal, is host/old-client-name.example.com.

  • For all service principals displayed by ipa service-find old-client-name.example.com, determine the location of the corresponding keytabs on the old-client-name.example.com system: 

    # find / -name "*.keytab"
    Copy to Clipboard

    Each service on the client system has a Kerberos principal in the form service_name/host_name@REALM, such as ldap/old-client-name.example.com@EXAMPLE.COM.

  • Identify all host groups to which the machine belongs. 

    # ipa hostgroup-find old-client-name.example.com
    Copy to Clipboard

19.2. Uninstalling an IdM client

Uninstalling a client removes the client from the RHEL Identity Management (IdM) domain, along with all of the specific IdM configuration of system services, such as System Security Services Daemon (SSSD). This restores the previous configuration of the client system.

Procedure

  1. Enter the ipa-client-install --uninstall command: 

    [root@client ~]# ipa-client-install --uninstall
    Copy to Clipboard

  2. Optional: Check that you cannot obtain a Kerberos ticket-granting ticket (TGT) for an IdM user: 

    [root@client ~]# kinit admin
kinit: Client 'admin@EXAMPLE.COM' not found in Kerberos database while getting initial credentials
[root@client ~]#
    Copy to Clipboard

    If a Kerberos TGT ticket has been returned successfully, follow the additional uninstallation steps in Uninstalling an IdM client: additional steps after multiple past installations.

  3. On the client, remove old Kerberos principals from each identified keytab other than /etc/krb5.keytab: 

    [root@client ~]# ipa-rmkeytab -k /path/to/keytab -r EXAMPLE.COM
    Copy to Clipboard

  4. On an IdM server, remove all DNS entries for the client host from IdM: 

    [root@server ~]# ipa dnsrecord-del
Record name: old-client-name
Zone name: idm.example.com
No option to delete specific record provided.
Delete all? Yes/No (default No): true
------------------------
Deleted record "old-client-name"
    Copy to Clipboard

  5. On the IdM server, remove the client host entry from the IdM LDAP server. This removes all services and revokes all certificates issued for that host: 

    [root@server ~]# ipa host-del client.idm.example.com
    Copy to Clipboard
    Important

    Removing the client host entry from the IdM LDAP server is crucial if you think you might re-enroll the client in the future, with a different IP address or a different hostname.

19.3. Uninstalling an IdM client: additional steps after multiple past installations

If you install and uninstall a host as an RHEL Identity Management (IdM) client multiple times, the uninstallation procedure might not restore the pre-IdM Kerberos configuration.

In this situation, you must manually remove the IdM Kerberos configuration. In extreme cases, you must reinstall the operating system.

Prerequisites

  • You have used the ipa-client-install --uninstall command to uninstall the IdM client configuration from the host. However, you can still obtain a Kerberos ticket-granting ticket (TGT) for an IdM user from the IdM server.
  • You have checked that the /var/lib/ipa-client/sysrestore directory is empty and hence you cannot restore the prior-to-IdM-client configuration of the system using the files in the directory.

Procedure

  1. Check the /etc/krb5.conf.ipa file:

    • If the contents of the /etc/krb5.conf.ipa file are the same as the contents of the krb5.conf file prior to the installation of the IdM client, you can:

      1. Remove the /etc/krb5.conf file: 

        # rm /etc/krb5.conf
        Copy to Clipboard

      2. Rename the /etc/krb5.conf.ipa file into /etc/krb5.conf: 

        # mv /etc/krb5.conf.ipa /etc/krb5.conf
        Copy to Clipboard
    • If the contents of the /etc/krb5.conf.ipa file are not the same as the contents of the krb5.conf file prior to the installation of the IdM client, you can at least restore the Kerberos configuration to the state directly after the installation of the operating system:

    1. Re-install the krb5-libs package: 

      # dnf reinstall krb5-libs
      Copy to Clipboard

      As a dependency, this command will also re-install the krb5-workstation package and the original version of the /etc/krb5.conf file.

  2. Remove the var/log/ipaclient-install.log file if present.

Verification

  • On the IdM client, try to obtain IdM user credentials. This should fail: 

    # kinit admin
kinit: Client 'admin@EXAMPLE.COM' not found in Kerberos database while getting initial credentials
#
    Copy to Clipboard

The /etc/krb5.conf file is now restored to its factory state. As a result, you cannot obtain a Kerberos TGT for an IdM user on the host.

19.4. Renaming the host system

Rename the machine as required. For example: 

# hostnamectl set-hostname new-client-name.example.com
Copy to Clipboard

You can now re-install the RHEL Identity Management (IdM) client to the IdM domain with the new host name.

19.5. Re-installing an IdM client

Install a client on your renamed host following the procedure described in Installing a client.

19.6. Re-adding services, re-generating certificates, and re-adding host groups

Procedure

You can re-add services, re-generate certificates, and re-add host groups on your RHEL Identity Management (IdM) server.

  1. On the RHEL Identity Management server, add a new keytab for every service identified in the Preparing an IdM client for its renaming. 

    [root@server ~]# ipa service-add service_name/new-client-name
    Copy to Clipboard

  2. Generate certificates for services that had a certificate assigned in the Preparing an IdM client for its renaming. You can do this:

  3. Re-add the client to the host groups identified in the Preparing an IdM client for its renaming.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat