Product SiteDocumentation Site

6.6. Disabling and Re-enabling Host and Service Entries

Active services and hosts can be accessed by other services, hosts, and users within the domain. There can be situations when it is necessary to remove a host or a service from activity. However, deleting a service or a host removes the entry and all the associated configuration, and it removes it permanently.

6.6.1. Disabling Host and Service Entries

Disabling a host or service prevents domain users from access it without permanently removing it from the domain. This can be done by using the host-disable and service-disable commands.
For example, for a host:
[jsmith@ipaserver ~]$ kinit admin
[jsmith@ipaserver ~]$ ipa host-disable server.example.com
For a service, specify the principal rather than the hostname:
$ ipa service-disable http/server.example.com

IMPORTANT

Disabling a host entry not only disables that host. It disables every configured service on that host as well.

6.6.2. Re-enabling Hosts and Services

Disabling a service or host essentially kills its current, active keytabs. Removing the keytabs effectively removes the host or service from the FreeIPA domain without otherwise touching its configuration entry.
To re-enable a host or service, simply use the ipa-getkeytab command. The -s option sets which FreeIPA server to request the keytab, -p gives the principal name, and -k gives the file to which to save the keytab.
For example, requesting a new host keytab:
[jsmith@ipaserver ~]$  ipa-getkeytab -s ipaserver.example.com -p host/server.example.com -k /etc/krb5.keytab -D fqdn=server.example.com,cn=computers,cn=accounts,dc=example,dc=com -w password
If the ipa-getkeytab command is run on an active FreeIPA client or server, then it can be run without any LDAP credentials (-D and -w). The FreeIPA user uses Kerberos credentials to authenticate to the domain. To run the command directly on the disabled host, then supply LDAP credentials to authenticate to the FreeIPA server. The credentials should correspond to the host or service which is being re-enabled.