{"id":1785,"date":"2017-03-14T19:16:03","date_gmt":"2017-03-15T00:16:03","guid":{"rendered":"http:\/\/osric.com\/chris\/accidental-developer\/?p=1785"},"modified":"2017-03-14T19:16:03","modified_gmt":"2017-03-15T00:16:03","slug":"freeipa-updating-client-hostname","status":"publish","type":"post","link":"https:\/\/osric.com\/chris\/accidental-developer\/2017\/03\/freeipa-updating-client-hostname\/","title":{"rendered":"FreeIPA: updating client hostname"},"content":{"rendered":"<p>I recently updated some CentOS 7 hostnames to better reflect their status as <a href=\"http:\/\/cloudscaling.com\/blog\/cloud-computing\/the-history-of-pets-vs-cattle\/\">cattle, not pets<\/a>. Part of renaming the hosts meant updating the hosts in my FreeIPA environment. RedHat&#8217;s <a href=\"https:\/\/access.redhat.com\/documentation\/en-US\/Red_Hat_Enterprise_Linux\/6\/html\/Identity_Management_Guide\/renaming-machines.html\">Identity Management Guide to Renaming Machines<\/a> confirms there&#8217;s no easy way to update a hostname. You need to un-enroll the and re-enroll the client. <\/p>\n<p><strong>Un-enroll:<\/strong><br \/>\n<code># ipa-client-install --uninstall<\/code><\/p>\n<p><strong>Re-enroll:<\/strong><br \/>\n<code># ipa-client-install --domain=osric.net --server=freeipa.osric.net --realm=FREEIPA.OSRIC.NET --principal=admin --password=T0ps3CR3T --mkhomedir -U --hostname=www-dev-01.osric.net<\/code><\/p>\n<p><strong>Error:<\/strong><br \/>\n<code>Kerberos authentication failed: kinit: Cannot read password while getting initial credentials<\/code><\/p>\n<p>I searched for the error and found <a href=\"http:\/\/www.stankowic-development.net\/?p=6979&#038;lang=en\">a blog post suggesting that the password had expired<\/a>. Sure enough, when I checked the FreeIPA web interface, it showed that the password for the admin user had expired. I reset it via the web interface.<\/p>\n<p>I tried again, using the new password:<br \/>\n<code># ipa-client-install --domain=osric.net --server=freeipa.osric.net --realm=FREEIPA.OSRIC.NET --principal=admin --password=M0r3s3CR3Ts! --mkhomedir -U --hostname=www-dev-01.osric.net<\/code><\/p>\n<p>It failed with the same error message!<\/p>\n<p>When I checked <code>\/var\/log\/ipaclient-install.log<\/code> it indicated that the password was <em>still<\/em> expired. Resetting the password via the web interface forces the user to set a new password at the next login &#8212; the password expires immediately!<\/p>\n<p>I ran <code>kinit admin<\/code> on the command line and used the temporary password to log in and set a new password. Then the command to re-enroll the server worked without any errors.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>FreeIPA does not have a method to update hostnames. Hosts must be un-enrolled and re-enrolled. I ran into a Kerberos authentication error when re-enrolling due to an expired password. Resetting the password via the FreeIPA web UI forces it to expire immediately on the subsequent login&#8211;resulting in the same authentication error!<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[422],"tags":[417],"class_list":["post-1785","post","type-post","status-publish","format-standard","hentry","category-sysadmin","tag-freeipa"],"_links":{"self":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/1785","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/comments?post=1785"}],"version-history":[{"count":4,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/1785\/revisions"}],"predecessor-version":[{"id":1791,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/1785\/revisions\/1791"}],"wp:attachment":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/media?parent=1785"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/categories?post=1785"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/tags?post=1785"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}