Alexander, Thank you for your feedback, this is what I expected to do - 'ipa-client-install —uninstall' and expected and easy quick fix for my request. It seem to work in environment where server portion is on CentOS/RHEL 7.1 and clients as well on 7.1 with IPA 4.1
However when clients are little older like CentOS/RHEL 6.5-6.6 behavior in our case was different, we had to manually delete records with "ipa host-del” command like Martin Kosek mentioned. So I wanted to reiterate with Red Hat team if 'ipa-client-install —uninstall' is still the proper way to clean up records completely. Additionally if I can expect the same behavior on client versions lower than CentOS/RHEL 7.1 + IPA 4.1 Regards, Andrey Ptashnik On 12/14/15, 4:21 AM, "Alexander Bokovoy" <aboko...@redhat.com> wrote: >On Fri, 11 Dec 2015, Andrey Ptashnik wrote: >>Hello Team, >> >>We have many servers in our environment that are on a different stage >>of their lifecycle. All of them are added to IPA domain. There are >>cases when servers gets moved, sometimes crash, sometimes are being >>rebuild or decommissioned. In those cases we need to completely remove >>server identity from IPA including DNS, Host, Certificate and other >>associated records. >>What is the most proper way to completely remove client records in case >>if server needs to be rebuilt with the same host name down the road? >>(hardware failure happened, server crashed and needs to be rebuild – is >>a perfect example). >'ipa-client-install --uninstall' results in calling 'ipa-join --unenroll -h >hostname' >which in turn calls 'ipa host-disable hostname'. The latter on the >IPA server side does following: > - disables the host entry > - disables any service associated with the host > - revokes certificates associated with the host > - removes keytab associated with the host > >Disabling services involves revoking of certificates and removal of >keytabs associated with these services. > >Of course, 'keytab removal' means only that the keys are removed from >LDAP entries, not that keytab files are removed. > >Note that none of DNS entries are removed. > >If you don't have hosts anymore, you can issue 'ipa host-disable hostname' >from any other host under credentials of a user that has enough >privileges to remove the host and associated services. 'admins' group >membership should be strong enough to achieve this goal. > >-- >/ Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
