FreeIPA: updating client hostname

I recently updated some CentOS 7 hostnames to better reflect their status as cattle, not pets. Part of renaming the hosts meant updating the hosts in my FreeIPA environment. RedHat’s Identity Management Guide to Renaming Machines confirms there’s no easy way to update a hostname. You need to un-enroll the and re-enroll the client.

Un-enroll:
# ipa-client-install --uninstall

Re-enroll:
# ipa-client-install --domain=osric.net --server=freeipa.osric.net --realm=FREEIPA.OSRIC.NET --principal=admin --password=T0ps3CR3T --mkhomedir -U --hostname=www-dev-01.osric.net

Error:
Kerberos authentication failed: kinit: Cannot read password while getting initial credentials

I searched for the error and found a blog post suggesting that the password had expired. Sure enough, when I checked the FreeIPA web interface, it showed that the password for the admin user had expired. I reset it via the web interface.

I tried again, using the new password:
# ipa-client-install --domain=osric.net --server=freeipa.osric.net --realm=FREEIPA.OSRIC.NET --principal=admin --password=M0r3s3CR3Ts! --mkhomedir -U --hostname=www-dev-01.osric.net

It failed with the same error message!

When I checked /var/log/ipaclient-install.log it indicated that the password was still expired. Resetting the password via the web interface forces the user to set a new password at the next login — the password expires immediately!

I ran kinit admin on the command line and used the temporary password to log in and set a new password. Then the command to re-enroll the server worked without any errors.

One thought on “FreeIPA: updating client hostname”

  1. I recently ran into a different problem, this time removing and re-adding a host from FreeIPA (using the same hostname).

    Client uninstall ran successfully:

    # ipa-client-install --uninstall

    Then I deleted the host from FreeIPA via the web interface.

    Then I tried running the ipa-client-install and received the following error:

    Joining realm failed: RPC failed at server.  host with name "trinculo.osric.net" already exists

    The host no longer appeared in the interface or when using the CLI, e.g. ipa host-show trinculo.osric.net.

    Eventually I connected to the site (as the directory manager) using Apache Directory Studio. The host was still listed there under:

    DN: cn=computers,cn=accounts,dc=freeipa,dc=osric,dc=net

    I deleted it, and was then able to re-add it using ipa-client-install.

Leave a Reply

Your email address will not be published. Required fields are marked *