Hi folks,
Fixing a topology and replication issue caused my IDM infrastructure to forget about roughly 30 enrolled client hosts.
Though this would be trivial to fix via an ansible playbook that runs the IPA client install command again with the "--force-join" argument.
Manpage and docs suggest this should work. Any tips or help appreciated!
Software:
ipa-common-4.4.0-14.el7.centos.7.noarch ipa-client-common-4.4.0-14.el7.centos.7.noarch ipa-client-4.4.0-14.el7.centos.7.x86_64
Error when I try to re-enroll the client:
[root@deawilldpp06 centos]# [root@deawilldpp06 centos]# ipa-client-install --force-join --mkhomedir --unattended --password=XXXX --principal YYYY --server deawilidmp001.ZZZZ.org --domain WWWWW.org
IPA client is already configured on this system. If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'. [root@deawilldpp06 centos]# [root@deawilldpp06 centos]#
Chris Dagdigian via FreeIPA-users wrote:
Hi folks,
Fixing a topology and replication issue caused my IDM infrastructure to forget about roughly 30 enrolled client hosts.
Though this would be trivial to fix via an ansible playbook that runs the IPA client install command again with the "--force-join" argument.
Manpage and docs suggest this should work. Any tips or help appreciated!
Software:
ipa-common-4.4.0-14.el7.centos.7.noarch ipa-client-common-4.4.0-14.el7.centos.7.noarch ipa-client-4.4.0-14.el7.centos.7.x86_64
Error when I try to re-enroll the client:
[root@deawilldpp06 centos]# [root@deawilldpp06 centos]# ipa-client-install --force-join --mkhomedir --unattended --password=XXXX --principal YYYY --server deawilidmp001.ZZZZ.org --domain WWWWW.org
IPA client is already configured on this system. If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'. [root@deawilldpp06 centos]# [root@deawilldpp06 centos]#
It sure looks like client forced re-enrollment is broken and has been for some time AFAICT. Please open a bug.
rob
On ti, 13 kesä 2017, Rob Crittenden via FreeIPA-users wrote:
Chris Dagdigian via FreeIPA-users wrote:
Hi folks,
Fixing a topology and replication issue caused my IDM infrastructure to forget about roughly 30 enrolled client hosts.
Though this would be trivial to fix via an ansible playbook that runs the IPA client install command again with the "--force-join" argument.
Manpage and docs suggest this should work. Any tips or help appreciated!
Software:
ipa-common-4.4.0-14.el7.centos.7.noarch ipa-client-common-4.4.0-14.el7.centos.7.noarch ipa-client-4.4.0-14.el7.centos.7.x86_64
Error when I try to re-enroll the client:
[root@deawilldpp06 centos]# [root@deawilldpp06 centos]# ipa-client-install --force-join --mkhomedir --unattended --password=XXXX --principal YYYY --server deawilidmp001.ZZZZ.org --domain WWWWW.org
IPA client is already configured on this system. If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'. [root@deawilldpp06 centos]# [root@deawilldpp06 centos]#
It sure looks like client forced re-enrollment is broken and has been for some time AFAICT. Please open a bug.
It was this way for very long time. I don't think we even allowed to reinstall without uninstall. Check ad717bff3c8c176f2c3c983d1a743eac00af426e, for example. This is your commit from 2011 that moves around the code that displayed "already configured" error message if anything was in the IPA's file store.
On ti, 13 kesä 2017, Chris Dagdigian via FreeIPA-users wrote:
Hi folks,
Fixing a topology and replication issue caused my IDM infrastructure to forget about roughly 30 enrolled client hosts.
Though this would be trivial to fix via an ansible playbook that runs the IPA client install command again with the "--force-join" argument.
Force join is for the case when you want ipa-join utility to repeat join process on the server side. This just ignores the fact that host object does exist in LDAP and allows to continue to regenerate a keytab.
It does not mean ipa-client-install would reconfigure the client side.
If you want really to re-do install, run 'ipa-client-install --uninstall --force' and then 'ipa-client-install --force-join'.
The check for already installed client cannot be overridden right now.
Manpage and docs suggest this should work. Any tips or help appreciated!
Software:
ipa-common-4.4.0-14.el7.centos.7.noarch ipa-client-common-4.4.0-14.el7.centos.7.noarch ipa-client-4.4.0-14.el7.centos.7.x86_64
Error when I try to re-enroll the client:
[root@deawilldpp06 centos]# [root@deawilldpp06 centos]# ipa-client-install --force-join --mkhomedir --unattended --password=XXXX --principal YYYY --server deawilidmp001.ZZZZ.org --domain WWWWW.org
IPA client is already configured on this system. If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'. [root@deawilldpp06 centos]# [root@deawilldpp06 centos]#
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Alexander Bokovoy via FreeIPA-users wrote:
On ti, 13 kesä 2017, Chris Dagdigian via FreeIPA-users wrote:
Hi folks,
Fixing a topology and replication issue caused my IDM infrastructure to forget about roughly 30 enrolled client hosts.
Though this would be trivial to fix via an ansible playbook that runs the IPA client install command again with the "--force-join" argument.
Force join is for the case when you want ipa-join utility to repeat join process on the server side. This just ignores the fact that host object does exist in LDAP and allows to continue to regenerate a keytab.
It does not mean ipa-client-install would reconfigure the client side.
If you want really to re-do install, run 'ipa-client-install --uninstall --force' and then 'ipa-client-install --force-join'.
The check for already installed client cannot be overridden right now.
Right but this is exactly the opposite of what the man page and the v3 design document states [1], hence the need for a bug.
rob
[1] http://www.freeipa.org/page/V3/Forced_client_re-enrollment
Manpage and docs suggest this should work. Any tips or help appreciated!
Software:
ipa-common-4.4.0-14.el7.centos.7.noarch ipa-client-common-4.4.0-14.el7.centos.7.noarch ipa-client-4.4.0-14.el7.centos.7.x86_64
Error when I try to re-enroll the client:
[root@deawilldpp06 centos]# [root@deawilldpp06 centos]# ipa-client-install --force-join --mkhomedir --unattended --password=XXXX --principal YYYY --server deawilidmp001.ZZZZ.org --domain WWWWW.org
IPA client is already configured on this system. If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'. [root@deawilldpp06 centos]# [root@deawilldpp06 centos]#
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On ti, 13 kesä 2017, Rob Crittenden wrote:
Alexander Bokovoy via FreeIPA-users wrote:
On ti, 13 kesä 2017, Chris Dagdigian via FreeIPA-users wrote:
Hi folks,
Fixing a topology and replication issue caused my IDM infrastructure to forget about roughly 30 enrolled client hosts.
Though this would be trivial to fix via an ansible playbook that runs the IPA client install command again with the "--force-join" argument.
Force join is for the case when you want ipa-join utility to repeat join process on the server side. This just ignores the fact that host object does exist in LDAP and allows to continue to regenerate a keytab.
It does not mean ipa-client-install would reconfigure the client side.
If you want really to re-do install, run 'ipa-client-install --uninstall --force' and then 'ipa-client-install --force-join'.
The check for already installed client cannot be overridden right now.
Right but this is exactly the opposite of what the man page and the v3 design document states [1], hence the need for a bug.
The change I pointed to (ad717bff3c8c176f2c3c983d1a743eac00af426e) is part of FreeIPA 3.0.0, so the behavior did not change since that time.
[1] http://www.freeipa.org/page/V3/Forced_client_re-enrollment
This design document does not talk about existing client-side configuration. The check for already configured client is independent of the --force-join logic described in the document above.
Should we decide to cease to enforce "client is already configured" part is a different question but the behavior there is consistent at least since 3.0.0.
Alexander Bokovoy wrote:
On ti, 13 kesä 2017, Rob Crittenden wrote:
Alexander Bokovoy via FreeIPA-users wrote:
On ti, 13 kesä 2017, Chris Dagdigian via FreeIPA-users wrote:
Hi folks,
Fixing a topology and replication issue caused my IDM infrastructure to forget about roughly 30 enrolled client hosts.
Though this would be trivial to fix via an ansible playbook that runs the IPA client install command again with the "--force-join" argument.
Force join is for the case when you want ipa-join utility to repeat join process on the server side. This just ignores the fact that host object does exist in LDAP and allows to continue to regenerate a keytab.
It does not mean ipa-client-install would reconfigure the client side.
If you want really to re-do install, run 'ipa-client-install --uninstall --force' and then 'ipa-client-install --force-join'.
The check for already installed client cannot be overridden right now.
Right but this is exactly the opposite of what the man page and the v3 design document states [1], hence the need for a bug.
The change I pointed to (ad717bff3c8c176f2c3c983d1a743eac00af426e) is part of FreeIPA 3.0.0, so the behavior did not change since that time.
[1] http://www.freeipa.org/page/V3/Forced_client_re-enrollment
This design document does not talk about existing client-side configuration. The check for already configured client is independent of the --force-join logic described in the document above.
Should we decide to cease to enforce "client is already configured" part is a different question but the behavior there is consistent at least since 3.0.0.
Sure it does, in the force-join case it stipulates "No changes have been done to the host entry (host has not been un-enrolled using ipa-client-install --uninstall) and host has not been disabled using host-disable command."
That is similar to what is documented in the man page as well.
The behavior doesn't match.
I don't have an opinion either way at this point whether it should work this way or not, though based on the tests I think this assumes the client was lost in some way.
Anyway, for the reporter, you can probably do something like this to get the clients back into a usable state without re-enrolling them (though that might be the better way):
$ kinit admin $ ipa host-add <host> (assuming the host entry doesn't already exist) $ ipa-getkeytab -s <ipa master> -p host/<host> -k /etc/krb5.keytab
Note that this is just off the top of my head but I think I got the options right.
rob
On ti, 13 kesä 2017, Rob Crittenden via FreeIPA-users wrote:
Alexander Bokovoy wrote:
On ti, 13 kesä 2017, Rob Crittenden wrote:
Alexander Bokovoy via FreeIPA-users wrote:
On ti, 13 kesä 2017, Chris Dagdigian via FreeIPA-users wrote:
Hi folks,
Fixing a topology and replication issue caused my IDM infrastructure to forget about roughly 30 enrolled client hosts.
Though this would be trivial to fix via an ansible playbook that runs the IPA client install command again with the "--force-join" argument.
Force join is for the case when you want ipa-join utility to repeat join process on the server side. This just ignores the fact that host object does exist in LDAP and allows to continue to regenerate a keytab.
It does not mean ipa-client-install would reconfigure the client side.
If you want really to re-do install, run 'ipa-client-install --uninstall --force' and then 'ipa-client-install --force-join'.
The check for already installed client cannot be overridden right now.
Right but this is exactly the opposite of what the man page and the v3 design document states [1], hence the need for a bug.
The change I pointed to (ad717bff3c8c176f2c3c983d1a743eac00af426e) is part of FreeIPA 3.0.0, so the behavior did not change since that time.
[1] http://www.freeipa.org/page/V3/Forced_client_re-enrollment
This design document does not talk about existing client-side configuration. The check for already configured client is independent of the --force-join logic described in the document above.
Should we decide to cease to enforce "client is already configured" part is a different question but the behavior there is consistent at least since 3.0.0.
Sure it does, in the force-join case it stipulates "No changes have been done to the host entry (host has not been un-enrolled using ipa-client-install --uninstall) and host has not been disabled using host-disable command."
That is similar to what is documented in the man page as well.
The behavior doesn't match.
I think we are talking about different things here.
Enrollment override with --force-join is about server side: do not freak out if there is already existing LDAP object for this host, proceed to retrieve a keytab.
While "IPA client is already configured" is about a client configuration itself. The check is done well before we start any installation, let alone enrollment.
What I'm saying is that --force-join works; "IPA client is already configured" error message works too, they are two separate things applied at different stages.
If client was lost but a backup files stored by ipa-client-install are still there, then running 'ipa-client-install --force --uninstall' is what can clean up the state. Then 'ipa-client-install --force-join' would allow you to proceed with re-enrollment.
I don't have an opinion either way at this point whether it should work this way or not, though based on the tests I think this assumes the client was lost in some way.
Anyway, for the reporter, you can probably do something like this to get the clients back into a usable state without re-enrolling them (though that might be the better way):
$ kinit admin $ ipa host-add <host> (assuming the host entry doesn't already exist) $ ipa-getkeytab -s <ipa master> -p host/<host> -k /etc/krb5.keytab
I think it can be reduced to
$ kinit admin $ ipa-join -f -h <host> -s <ipa master> -k /etc/krb5.keytab
ipa-join utility will force IPA server side to add the host.
freeipa-users@lists.fedorahosted.org