이 콘텐츠는 선택한 언어로 제공되지 않습니다.

10.6. Renaming Machines and Reconfiguring IdM Client Configuration


The hostname of a system is critical for the correct operation of Kerberos and SSL. Both of these security mechanisms rely on the hostname to ensure that communication is occurring between the specified hosts. Infrastructures which use virtual machines or clustered servers will commonly have hosts which are renamed because systems are copied, moved, or renamed.
Red Hat Enterprise Linux does not provide a simple rename command to facilitate the renaming of an IdM host. Renaming a host in an IdM domain involves deleting the entry in IdM, uninstalling the client software, changing the hostname, and re-enrolling using the new name. Additionally, part of renaming hosts requires regenerating service principals.
To reconfigure the client:
  1. Identify which services are running on the machine. These need to be re-created when the machine is re-enrolled.
    # ipa service-find server.example.com
    Each host has a default service which does not appear in the list of services. This service can be referred to as the "host service". The service principal for the host service is host/<hostname>, such as host/server.example.com. This principal can also be referred to as the host principal.
  2. Identify all host groups to which the machine belongs.
    [root@client ~]# kinit admin
    [root@client ~]# ipa hostgroup-find server.example.com
  3. Identify which of the services have certificates associated with them. This can be done using the ldapsearch command to check the entries in the IdM LDAP database directly:
    [root@client ~]# ldapsearch -x -b "cn=accounts,dc=example,dc=com" "(&(objectclass=ipaservice)(userCertificate=*))" krbPrincipalName -D "cn=directory manager" -w secret -h ipaserver.example.com -p 389
  4. For any service principals (in addition to the host principal), determine the location of the corresponding keytabs on server.example.com. The keytab location is different for each service, and IdM does not store this information.
    Each service on the client system has a Kerberos principal in the form service_name/hostname@REALM, such as ldap/server.example.com@EXAMPLE.COM.
  5. Unenroll the client machine from the IdM domain:
    [root@client ~]# ipa-client-install --uninstall
  6. For each identified keytab other than /etc/krb5.keytab, remove the old principals:
    [root@client ~]# ipa-rmkeytab -k /path/to/keytab -r EXAMPLE.COM
  7. On an IdM server, as an IdM administrator, remove the host entry. This removes all services and revokes all certificates issued for that host:
    [root@server ~]# kinit admin
    [root@server ~]# ipa host-del server.example.com
    At this point, the host is completely removed from IdM.
  8. Rename the machine.
  9. Re-enroll the system with IdM:
    [root@client ~]# ipa-client-install
    This generates a host principal for with the new hostname in /etc/krb5.keytab.
  10. On an IdM server, add a new keytab for every service:
    [root@server ~]# ipa service-add serviceName/new-hostname
  11. To generate certificates for services, use either certmonger or the IdM administration tools.
  12. Re-add the host to any applicable host groups.
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.