Este conteúdo não está disponível no idioma selecionado.

Chapter 17. Uninstalling an IdM client


As an administrator, you can remove an Identity Management (IdM) client from the environment.

17.1. Uninstalling an IdM client

Uninstalling a client removes the client from the Identity Management (IdM) domain, along with all of the specific IdM configuration of system services, such as System Security Services Daemon (SSSD). This restores the previous configuration of the client system.

Procedure

  1. Enter the ipa-client-install --uninstall command:

    [root@client ~]# ipa-client-install --uninstall
  2. Optional: Check that you cannot obtain a Kerberos ticket-granting ticket (TGT) for an IdM user:

    [root@client ~]# kinit admin
    kinit: Client 'admin@EXAMPLE.COM' not found in Kerberos database while getting initial credentials
    [root@client ~]#

    If a Kerberos TGT ticket has been returned successfully, follow the additional uninstallation steps in Uninstalling an IdM client: additional steps after multiple past installations.

  3. On the client, remove old Kerberos principals from each identified keytab other than /etc/krb5.keytab:

    [root@client ~]# ipa-rmkeytab -k /path/to/keytab -r EXAMPLE.COM
  4. On an IdM server, remove all DNS entries for the client host from IdM:

    [root@server ~]# ipa dnsrecord-del
    Record name: old-client-name
    Zone name: idm.example.com
    No option to delete specific record provided.
    Delete all? Yes/No (default No): true
    ------------------------
    Deleted record "old-client-name"
  5. On the IdM server, remove the client host entry from the IdM LDAP server. This removes all services and revokes all certificates issued for that host:

    [root@server ~]# ipa host-del client.idm.example.com
    Important

    Removing the client host entry from the IdM LDAP server is crucial if you think you might re-enroll the client in the future, with a different IP address or a different hostname.

17.2. Uninstalling an IdM client: additional steps after multiple past installations

If you install and uninstall a host as an Identity Management (IdM) client multiple times, the uninstallation procedure might not restore the pre-IdM Kerberos configuration.

In this situation, you must manually remove the IdM Kerberos configuration. In extreme cases, you must reinstall the operating system.

Prerequisites

  • You have used the ipa-client-install --uninstall command to uninstall the IdM client configuration from the host. However, you can still obtain a Kerberos ticket-granting ticket (TGT) for an IdM user from the IdM server.
  • You have checked that the /var/lib/ipa-client/sysrestore directory is empty and hence you cannot restore the prior-to-IdM-client configuration of the system using the files in the directory.

Procedure

  1. Check the /etc/krb5.conf.ipa file:

    • If the contents of the /etc/krb5.conf.ipa file are the same as the contents of the krb5.conf file prior to the installation of the IdM client, you can:

      1. Remove the /etc/krb5.conf file:

        # rm /etc/krb5.conf
      2. Rename the /etc/krb5.conf.ipa file into /etc/krb5.conf:

        # mv /etc/krb5.conf.ipa /etc/krb5.conf
    • If the contents of the /etc/krb5.conf.ipa file are not the same as the contents of the krb5.conf file prior to the installation of the IdM client, you can at least restore the Kerberos configuration to the state directly after the installation of the operating system:
    1. Re-install the krb5-libs package:

      # dnf reinstall krb5-libs

      As a dependency, this command will also re-install the krb5-workstation package and the original version of the /etc/krb5.conf file.

  2. Remove the var/log/ipaclient-install.log file if present.

Verification

  • Try to obtain IdM user credentials. This should fail:

    [root@r8server ~]# kinit admin
    kinit: Client 'admin@EXAMPLE.COM' not found in Kerberos database while getting initial credentials
    [root@r8server ~]#

The /etc/krb5.conf file is now restored to its factory state. As a result, you cannot obtain a Kerberos TGT for an IdM user on the host.

Red Hat logoGithubRedditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja oBlog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

© 2024 Red Hat, Inc.