On 08/05/2013 05:48 PM, Martin Kosek wrote:
On 08/02/2013 05:16 PM, Tomas Babej wrote:
Hi,
Updates old information produced by the ipa help host command.
Also adds a section to ipa-client-install manpage about client
re-enrollment.
https://fedorahosted.org/freeipa/ticket/3820
Tomas
1) "-" should be backslashed in the man pages (as others are)
2) s/perserved/preserved/
Martin
Thanks!
I also fixed the new-line formatting so that content is more fluid when
resizing terminal.
Updated patch attached.
Tomas
>From ee597ff5c0f8a2c10fbb84c3b7a411a3ebae6a88 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Fri, 2 Aug 2013 17:06:29 +0200
Subject: [PATCH] Improve help entry for ipa host
Updates old information produced by the ipa help host command.
Also adds a section to ipa-client-install manpage about client
re-enrollment.
https://fedorahosted.org/freeipa/ticket/3820
---
ipa-client/man/ipa-client-install.1 | 25 +++++++++++++++++++++++++
ipalib/plugins/host.py | 12 +++++++-----
2 files changed, 32 insertions(+), 5 deletions(-)
diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1
index d98318eeda1d6b60d4a6bcb1321db03bfabe15a8..bb19041b13622e3384fb800fca60b7b6f695e8f0 100644
--- a/ipa-client/man/ipa-client-install.1
+++ b/ipa-client/man/ipa-client-install.1
@@ -52,6 +52,31 @@ Other directory servers deployed in the network (e.g. Microsoft Active Directory
In order to avoid the aforementioned DNS autodiscovery issues, the client machine hostname should be in a domain with properly defined DNS SRV records pointing to IPA servers, either manually with a custom DNS server or with IPA DNS integrated solution. A second approach would be to avoid autodiscovery and configure the installer to use a fixed list of IPA server hostnames using the \-\-server option and with a \-\-fixed\-primary option disabling DNS SRV record autodiscovery in SSSD.
+.SS "Re\-enrollment of the host"
+Requirements:
+
+1. Host has not been un\-enrolled (the ipa\-client\-install \-\-uninstall command has not been run).
+.br
+2. The host entry has not been disabled via the ipa host\-disable command.
+
+If this has been the case, host can be re\-enrolled using the usual methods.
+
+There are two method of authenticating a re\-enrollment:
+
+1. You can use \-\-force\-join option with ipa\-client\-install command. This authenticates the re\-enrollment using the admin's credetials provided via the \-w/\-\-password option.
+.br
+2. If providing the admin's password via the command line is not an option (e.g you want to create a script to re\-enroll a host and keep the admin's password secure), you can use backed up keytab from the previous enrollment of this host to authenticate. See \-\-keytab option.
+
+Consenquences of the re\-enrollment on the host entry:
+
+1. A new host certificate is issued
+.br
+2. The old host certificate is revoked
+.br
+3. New SSH keys are generated
+.br
+4. ipaUniqueID is preserved
+
.SH "OPTIONS"
.SS "BASIC OPTIONS"
.TP
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 6be069425abca2e6c1d53096c63ad8320676cab7..7aa94aa95ba9be17c308546d5d2fe247f27a07b3 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -66,11 +66,13 @@ There are three enrollment scenarios when enrolling a new client:
Host Enrollment privilege.
3. The host has been created with a one-time password.
-A host can only be enrolled once. If a client has enrolled and needs to
-be re-enrolled, the host entry must be removed and re-created. Note that
-re-creating the host entry will result in all services for the host being
-removed, and all SSL certificates associated with those services being
-revoked.
+
+RE-ENROLLMENT:
+
+Host that has been enrolled at some point, and lost its configuration (e.g. VM
+destroyed) can be re-enrolled.
+
+For more information, consult the manual pages for ipa-client-install.
A host can optionally store information such as where it is located,
the OS that it runs, etc.
--
1.8.3.1
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel