此内容没有您所选择的语言版本。
10.6. Renaming Machines and Reconfiguring IdM Client Configuration
The hostname of a system is critical for the correct operation of Kerberos and SSL. Both of these security mechanisms rely on the hostname to ensure that communication is occurring between the specified hosts. Infrastructures which use virtual machines or clustered servers will commonly have hosts which are renamed because systems are copied, moved, or renamed.
Red Hat Enterprise Linux does not provide a simple rename command to facilitate the renaming of an IdM host. Renaming a host in an IdM domain involves deleting the entry in IdM, uninstalling the client software, changing the hostname, and re-enrolling using the new name. Additionally, part of renaming hosts requires regenerating service principals.
To reconfigure the client:
- Identify which services are running on the machine. These need to be re-created when the machine is re-enrolled.
# ipa service-find server.example.com
Each host has a default service which does not appear in the list of services. This service can be referred to as the "host service". The service principal for the host service ishost/<hostname>
, such ashost/server.example.com
. This principal can also be referred to as the host principal. - Identify all host groups to which the machine belongs.
[root@client ~]# kinit admin [root@client ~]# ipa hostgroup-find server.example.com
- Identify which of the services have certificates associated with them. This can be done using the
ldapsearch
command to check the entries in the IdM LDAP database directly:[root@client ~]# ldapsearch -x -b "cn=accounts,dc=example,dc=com" "(&(objectclass=ipaservice)(userCertificate=*))" krbPrincipalName -D "cn=directory manager" -w secret -h ipaserver.example.com -p 389
- For any service principals (in addition to the host principal), determine the location of the corresponding keytabs on
server.example.com
. The keytab location is different for each service, and IdM does not store this information.Each service on the client system has a Kerberos principal in the form service_name/hostname@REALM, such asldap/server.example.com@EXAMPLE.COM
. - Unenroll the client machine from the IdM domain:
[root@client ~]# ipa-client-install --uninstall
- For each identified keytab other than
/etc/krb5.keytab
, remove the old principals:[root@client ~]# ipa-rmkeytab -k /path/to/keytab -r EXAMPLE.COM
- On an IdM server, as an IdM administrator, remove the host entry. This removes all services and revokes all certificates issued for that host:
[root@server ~]# kinit admin [root@server ~]# ipa host-del server.example.com
At this point, the host is completely removed from IdM. - Rename the machine.
- Re-enroll the system with IdM:
[root@client ~]# ipa-client-install
This generates a host principal for with the new hostname in/etc/krb5.keytab
. - On an IdM server, add a new keytab for every service:
[root@server ~]# ipa service-add serviceName/new-hostname
- To generate certificates for services, use either
certmonger
or the IdM administration tools. - Re-add the host to any applicable host groups.