Host Management

Overview

Hosts in FreeIPA represent physical or virtual machines enrolled in the IPA domain. Each host entry serves multiple critical functions within the identity management infrastructure: storing Kerberos service principals for authentication, participating in host-based access control policies, providing a foundation for service registration, and maintaining security credentials including SSH keys and X.509 certificates.

Every enrolled IPA client automatically generates a host entry during the enrollment process. These entries persist in the directory even if the physical machine is decommissioned, maintaining historical records and configuration state. Host entries can be pre-created before physical enrollment to support various deployment workflows including one-time password enrollment and delegated administration scenarios.

Hosts participate extensively in IPA’s security model. The host entry stores the host’s Kerberos principal (host/hostname@REALM), enabling mutual authentication between clients and servers. Service principals for applications running on the host are associated with the host entry, creating clear ownership relationships. Host-based access control rules reference hosts and host groups to define which users can access which systems, forming a critical component of IPA’s authorization framework.

Host Enrollment Scenarios

Full Administrator Enrollment

Full administrators (members of the “admins” group or “hostadmin” role) can enroll hosts without restrictions. They can create new host entries during enrollment or enroll against existing entries. This enrollment mode provides maximum flexibility, allowing administrators to enroll hosts without pre-planning or coordination.

When a full administrator enrolls a host, IPA automatically creates the host entry if it doesn’t exist, generates Kerberos keys, and establishes the machine’s identity within the domain. The enrollment process retrieves a TGT for the host principal, configures SSSD for identity lookups, and integrates the system into IPA’s authentication and authorization infrastructure.

Full administrators can override DNS validation, force enrollment of hosts with names not resolvable in DNS, and specify custom attributes during enrollment. This flexibility supports diverse deployment scenarios including isolated networks, lab environments, and migration from other identity systems.

Limited Administrator Enrollment

Limited administrators hold the “Host Enrollment” privilege through role assignment but lack full administrative access. These users can enroll hosts but only against pre-existing host entries created by full administrators. This enrollment model supports delegated deployment workflows where central IT creates host entries and delegates actual enrollment to remote administrators or automated systems.

The limited administrator workflow requires coordination: a full administrator first creates the host entry (potentially with a one-time password), then the limited administrator enrolls the physical machine against that pre-created entry. This separation of duties ensures central IT maintains awareness of all enrolled hosts while distributing enrollment workload.

Limited administrators cannot modify host attributes beyond those affected by enrollment (Kerberos keys, enrollment metadata). They cannot delete hosts, change DNS integration settings, or modify access control delegation. This restricted privilege set enables safe delegation without compromising security boundaries.

One-Time Password (OTP) Enrollment

One-time password enrollment enables automated or delegated enrollment without persistent administrative credentials. A full administrator creates the host entry with either a specified password (--password) or a randomly generated password (--random). This password is valid for a single enrollment attempt and cannot be reused.

OTP enrollment suits several deployment scenarios: provisioning systems with configuration management tools (Ansible, Puppet, Chef), enabling self-service enrollment workflows, or delegating enrollment to users who should not have persistent administrative privileges. The OTP is typically transmitted to the enrollment agent through secure channels (encrypted email, configuration management secrets, administrator portal).

After successful enrollment using an OTP, the password is invalidated and cannot be used again. If enrollment fails, the OTP remains valid for retry attempts until successful enrollment occurs. Administrators can reset or change the OTP using host-mod --password or host-mod --random.

Re-Enrollment and Host Recovery

Hosts that were previously enrolled but lost their configuration can be re-enrolled without deleting and recreating the host entry. Common re-enrollment scenarios include virtual machine reversion to snapshots, operating system reinstallation, or container recreation. Re-enrollment preserves historical metadata, service principal associations, and policy memberships while regenerating authentication credentials.

Re-enrollment requires the same privilege level as initial enrollment: full administrators can re-enroll directly, while limited administrators or OTP-based re-enrollment requires the host entry to be prepared by a full administrator. Before re-enrolling, administrators often use host-disable to revoke the host’s existing Kerberos keys and certificates, ensuring old credentials cannot be used even if they were compromised.

The re-enrollment process regenerates the host’s Kerberos keytab and enrolls certificates if configured, but retains group memberships, HBAC rule associations, managed-by relationships, and service principals. This continuity ensures that access control policies and service configurations remain consistent across the re-enrollment event.

Host Metadata and Attributes

Host entries can store descriptive metadata beyond core authentication and authorization attributes. This metadata supports asset management, deployment tracking, and operational documentation:

Description: Free-text description of the host’s purpose or role
Locality: Geographic location (city, state, country)
Location: Physical location hint (building, floor, rack)
Platform: Hardware platform information (manufacturer, model)
Operating System: OS version and distribution
MAC Addresses: Network hardware addresses for the host’s interfaces

This metadata is optional but valuable for operational workflows. Location information can inform load balancing decisions or support compliance requirements for data residency. Platform and OS information aids patch management and vulnerability tracking. IPA does not automatically update this metadata; administrators must maintain it through host-mod commands or integration with asset management systems.

SSH Public Key Management

IPA hosts can store SSH public keys that are distributed to other IPA clients for SSH host key verification. This integration replaces or supplements traditional SSH known_hosts management, providing centralized distribution of host public keys across the domain.

When an IPA client’s SSH daemon generates host keys, those public keys can be published to the host entry in IPA. Other IPA clients running SSSD configured for SSH integration retrieve these public keys and use them to verify the host’s identity during SSH connections. This prevents man-in-the-middle attacks and eliminates the trust-on-first-use security gap in traditional SSH deployments.

SSH key management commands (host-mod --sshpubkey) support adding multiple keys for hosts with multiple key types (RSA, ECDSA, Ed25519). Keys can be removed by setting an empty value (--sshpubkey=). When combined with --updatedns, IPA can automatically publish SSH fingerprints to DNS SSHFP records for additional verification mechanisms.

Certificate Management

Host entries serve as the subject for X.509 certificates issued by IPA’s integrated certificate authority. Certificates are used for various purposes including TLS/SSL services, host authentication, and smart card login to the system itself (if configured).

Certificates are associated with host entries through several mechanisms: automatic enrollment during ipa-client-install, explicit requests using ipa-getcert, or manual addition using host-add-cert. Host certificates use the host’s principal name as the subject, ensuring the certificate identity matches the Kerberos identity.

IPA tracks certificate lifecycle including issuance, renewal, and revocation. Certificates approaching expiration can be automatically renewed through certmonger integration on IPA clients. When a host is disabled using host-disable, its certificates are revoked, immediately invalidating any TLS connections or authentication attempts using those certificates.

Multiple certificates can be associated with a single host entry, supporting scenarios where different services or interfaces require distinct certificates. Certificate management operations require appropriate privileges: host owners (through managed-by relationships) can manage certificates for their hosts, or specific users can be granted certificate management delegation.

Managed-By Relationships

The managed-by mechanism enables hosts to manage other hosts’ credentials and certificates. This delegation supports clustered applications, load balancers, and orchestration systems that need to manage credentials for multiple backend hosts without full administrative privileges.

When host A is designated as managed-by for host B, host B can retrieve and regenerate host A’s keytab and manage host A’s certificates. This relationship is used in scenarios like:

Load balancers managing backend server certificates
Cluster managers provisioning member node credentials
Monitoring systems deploying credentials to managed hosts

Managed-by relationships are directional and require explicit configuration. The relationship does not grant broad administrative access; delegated hosts can only perform specific credential and certificate operations on the hosts they manage.

Keytab Delegation

Keytab delegation controls which users, groups, or hosts can create or retrieve a host’s Kerberos keytab without being full administrators. This fine-grained delegation supports automated deployment systems and delegated administration workflows.

Two distinct permissions can be delegated:

Create Keytab: Generate a new keytab, invalidating existing keytabs
Retrieve Keytab: Retrieve the current keytab without regeneration

Creating a keytab regenerates the Kerberos keys, invalidating all existing keytabs for that principal. This operation should be restricted to trusted automation or recovery workflows. Retrieving a keytab accesses current keys without regeneration, supporting scenarios where multiple systems need the same keytab (though this is generally discouraged in security-conscious environments).

Delegation can target individual users, groups of users, specific hosts, or host groups. This flexibility enables both personal delegation (“alice can create keytabs for hosts in her lab”) and systemic delegation (“the provisioning cluster can create keytabs for all compute nodes”).

DNS Integration

IPA can optionally integrate host entries with DNS, automatically creating and maintaining DNS records for enrolled hosts. When adding a host with --ip-address, IPA creates corresponding A (IPv4) or AAAA (IPv6) records in DNS. The --updatedns flag with host-mod updates DNS records when host attributes change, and with host-del removes DNS records when the host is deleted.

DNS integration supports both forward and reverse lookups. IPA automatically creates PTR records for reverse resolution when forward records are created with IP addresses. This bidirectional DNS configuration supports services that validate reverse DNS for security (SSH, Kerberos, many network protocols).

SSHFP records can be automatically published to DNS when SSH public keys are stored in the host entry. These DNS records provide an additional verification mechanism for SSH host key validation, enabling DNS-based trust rather than relying solely on IPA’s SSH key distribution.

The --force flag bypasses DNS validation during host creation, allowing hosts to be added even if they don’t have DNS records. The --no-reverse flag disables reverse DNS lookups during validation. These options support scenarios where DNS is not yet configured or hosts are in isolated network segments.

Resource Delegation

Resource delegation enables hosts to delegate specific Kerberos authentication operations to services running on those hosts. This advanced feature supports constrained delegation scenarios where a service needs to authenticate to backend resources on behalf of users without requiring the user’s full credentials.

Delegation is configured through host-add-delegation and host-remove-delegation commands, specifying which principals can receive delegated credentials. Delegation targets are typically service principals representing backend resources the host’s services need to access.

Access to configure delegation can itself be delegated through host-allow-add-delegation and host-disallow-add-delegation, enabling users, groups, or other hosts to manage delegation configuration without full host administrative privileges.

Examples

Basic Host Management

Add a host with descriptive metadata:

ipa host-add --location="3rd floor lab" --locality="Dallas" --platform="Dell R640" --os="Rocky Linux 9" web01.example.com

Add a host with DNS integration (creates A record):

ipa host-add --ip-address=192.168.1.100 web02.example.com

Add a host bypassing DNS validation (for pre-DNS provisioning):

ipa host-add --force app01.example.com

Delete a host:

ipa host-del web01.example.com

Delete a host and remove DNS records:

ipa host-del --updatedns web02.example.com

Display comprehensive host information:

ipa host-show web01.example.com --all

Search for hosts matching a pattern:

ipa host-find web

Search for hosts in a specific location:

ipa host-find --location="3rd floor lab"

One-Time Password Enrollment

Create a host with a specified OTP for later enrollment:

ipa host-add --password=SecureOTP123 app01.example.com

Create a host with a randomly generated OTP:

ipa host-add --random app02.example.com

Reset OTP for a host that failed enrollment:

ipa host-mod --random app01.example.com

Host Modification

Update host metadata:

ipa host-mod --os="Rocky Linux 9.3" --location="4th floor lab" web01.example.com

Update host description:

ipa host-mod --desc="Production web server" web01.example.com

Add MAC address information:

ipa host-mod --macaddress=00:11:22:33:44:55 web01.example.com

Change host principal alias:

ipa host-add-principal web01.example.com host/web-legacy.example.com@EXAMPLE.COM

Remove principal alias:

ipa host-remove-principal web01.example.com host/web-legacy.example.com@EXAMPLE.COM

SSH Key Management

Add SSH public key to host entry:

ipa host-mod --sshpubkey="ssh-rsa AAAAB3Nza..." web01.example.com

Update SSH keys and publish to DNS SSHFP records:

ipa host-mod --sshpubkey="ssh-ed25519 AAAAC3Nza..." --updatedns web01.example.com

Remove all SSH keys from host:

ipa host-mod --sshpubkey= web01.example.com

Certificate Management

Add a certificate to host entry:

ipa host-add-cert web01.example.com --certificate="MIIDXTCCAkWgAwIBAgI..."

Remove a certificate:

ipa host-remove-cert web01.example.com --certificate="MIIDXTCCAkWgAwIBAgI..."

Export host certificate to file:

ipa host-show web01.example.com --out=web01.crt

Host Disablement and Recovery

Disable host (revokes Kerberos keys, certificates, and all service keys):

ipa host-disable web01.example.com

Re-enable host by re-enrolling:

# On the host itself:
ipa-client-install --force-join

Managed-By Relationships

Allow another host to manage this host’s keytab and certificates:

ipa host-add-managedby --hosts=loadbalancer.example.com web01.example.com

Remove managed-by relationship:

ipa host-remove-managedby --hosts=loadbalancer.example.com web01.example.com

Show which hosts can manage a specific host:

ipa host-show web01.example.com --all | grep -i managed

Keytab Delegation

Allow a user to create keytabs for a host:

ipa host-allow-create-keytab web01.example.com --users=sysadmin

Allow a group to create keytabs for a host:

ipa host-allow-create-keytab web01.example.com --groups=operations

Allow specific hosts to create keytabs (for orchestration scenarios):

ipa host-allow-create-keytab web01.example.com --hosts=provisioner.example.com

Allow host groups to create keytabs:

ipa host-allow-create-keytab web01.example.com --hostgroups=automation_servers

Revoke keytab creation permission:

ipa host-disallow-create-keytab web01.example.com --users=sysadmin

Allow keytab retrieval without regeneration:

ipa host-allow-retrieve-keytab web01.example.com --users=backupoperator

Revoke keytab retrieval permission:

ipa host-disallow-retrieve-keytab web01.example.com --users=backupoperator

Resource Delegation

Add resource delegation for constrained delegation scenarios:

ipa host-add-delegation web01.example.com HTTP/backend.example.com@EXAMPLE.COM

Remove resource delegation:

ipa host-remove-delegation web01.example.com HTTP/backend.example.com@EXAMPLE.COM

Delegate management of resource delegation to a user:

ipa host-allow-add-delegation web01.example.com --users=webadmin

Revoke delegation management:

ipa host-disallow-add-delegation web01.example.com --users=webadmin

Advanced Queries

Find hosts enrolled by a specific user:

ipa host-find --enroll-by-users=admin

Find hosts in specific host groups:

ipa host-find --in-hostgroups=webservers

Find hosts used in HBAC rules:

ipa host-find --in-hbacrules=allow_ssh

Find hosts managed by a specific host:

ipa host-find --man-by-hosts=provisioner.example.com

Best Practices

Host Lifecycle Management

Pre-create hosts before enrollment for controlled environments: In production environments, pre-create host entries with appropriate metadata and OTP before physical deployment. This provides inventory visibility and enforces approval workflows.

Use descriptive metadata for asset tracking: Consistently populate location, platform, and OS fields. This metadata supports operational workflows including patch management, capacity planning, and incident response.

Maintain DNS integration: Enable --updatedns for host modifications and deletions to keep DNS synchronized with host inventory. Inconsistent DNS causes authentication failures and service disruption.

Regularly audit and clean up stale hosts: Hosts that are decommissioned should be either deleted or at minimum disabled. Stale host entries clutter the directory and can represent security risks if their credentials are compromised.

Enrollment Strategy

Use OTP enrollment for automation: Configuration management systems (Ansible, Puppet, Terraform) should use OTP-based enrollment rather than storing persistent administrative credentials. Generate OTPs programmatically and inject them into provisioning workflows.

Delegate enrollment to limited administrators for remote sites: Grant the “Host Enrollment” privilege to site administrators rather than full admin access. Pre-create hosts centrally, then delegate enrollment to local staff.

Disable hosts before re-enrollment: When re-enrolling a host, first disable it to revoke existing credentials. This prevents old credentials from being used if they were compromised or copied before re-enrollment.

Document enrollment procedures: Maintain runbooks for standard enrollment scenarios including first-time enrollment, re-enrollment, and recovery from enrollment failures.

SSH Key Management

Publish SSH keys to IPA for centralized trust: Configure SSH daemons to publish host keys to IPA and configure clients to retrieve them. This eliminates trust-on-first-use vulnerabilities and provides centralized key management.

Enable DNS SSHFP records: Use --updatedns when managing SSH keys to publish SSHFP records. This provides defense-in-depth for SSH host verification.

Rotate SSH host keys periodically: While not required, rotating host SSH keys (and updating IPA) limits exposure if older keys were compromised. Update IPA entries after rotation.

Certificate Management

Use certmonger for automated certificate lifecycle: IPA clients should use certmonger to request, track, and automatically renew certificates. This prevents certificate expiration outages.

Leverage IPA CA for internal certificates: Use IPA’s integrated CA for internal service certificates rather than self-signed certificates or external CAs. This provides automated enrollment, renewal, and revocation.

Revoke certificates when disabling hosts: host-disable automatically revokes certificates, but administrators should verify revocation when decommissioning hosts to prevent unauthorized use of old certificates.

Delegation and Access Control

Use managed-by for clustered applications: Load balancers, container orchestrators, and cluster managers should use managed-by relationships rather than full administrative credentials to manage member host certificates and keytabs.

Minimize keytab creation delegation: Creating keytabs regenerates keys and invalidates existing keytabs. This privilege should be granted sparingly and primarily to trusted automation systems.

Prefer keytab retrieval over creation for multi-system scenarios: If multiple systems need the same keytab (generally discouraged), use retrieve delegation rather than create delegation to avoid inadvertent key regeneration.

Document delegation relationships: Maintain clear records of which users, groups, or hosts have delegation privileges for each host. This aids security audits and troubleshooting.

Security Considerations

Protect OTPs: One-time passwords are sensitive credentials. Transmit them through secure channels and ensure they are not logged or stored persistently in configuration management systems after use.

Monitor enrollment activity: Regularly review enrollment logs to detect unauthorized enrollment attempts or unusual patterns that might indicate compromise.

Limit full administrative enrollment: Reserve full admin enrollment capabilities for trusted administrators. Use limited administrator delegation or OTP enrollment for operational deployments.

Audit managed-by and delegation privileges: These relationships grant significant control over host credentials. Regularly audit and prune unnecessary delegation to maintain least privilege.

Integration with Other IPA Components

Host Groups

Hosts can be organized into host groups for collective management and policy application. Host groups appear in HBAC rules, sudo rules, and automember rules, enabling policy to target sets of hosts rather than individual machines.

Service Principals

Service principals (HTTP/, LDAP/, etc.) are associated with host entries. The host owns its service principals, and service management operations often require host-level permissions or delegation.

HBAC Rules

Host-based access control rules reference hosts and host groups to define which users can access which systems and services. Host enrollment and organization directly impact HBAC policy evaluation.

Sudo Rules

Sudo rules can target specific hosts or host groups, defining where privileged commands can be executed. Proper host organization enables granular sudo privilege delegation.

DNS

IPA’s integrated DNS can automatically manage forward and reverse records for enrolled hosts. This integration ensures DNS consistency and supports services requiring accurate DNS information.

Automember Rules

Automember rules can automatically populate host group membership based on host attributes. For example, all hosts in a specific location could automatically join a location-specific host group.

Locations

IPA topology locations can be assigned to hosts, enabling location-aware service discovery and replication. Hosts are assigned to locations through the location attribute or integration with topology management.

Commands

Command Description

host-add Add a new host.

host-add-cert Add certificates to host entry

host-add-delegation Add new resource delegation to a host

host-add-managedby Add hosts that can manage this host.

host-add-principal Add new principal alias to host entry

host-allow-add-delegation Allow users, groups, hosts or host groups to handle a resource delegation of this host.

host-allow-create-keytab Allow users, groups, hosts or host groups to create a keytab of this host.

host-allow-retrieve-keytab Allow users, groups, hosts or host groups to retrieve a keytab of this host.

host-del Delete a host.

host-disable Disable the Kerberos key, SSL certificate and all services of a host.

host-disallow-add-delegation Disallow users, groups, hosts or host groups to handle a resource delegation of this host.

host-disallow-create-keytab Disallow users, groups, hosts or host groups to create a keytab of this host.

host-disallow-retrieve-keytab Disallow users, groups, hosts or host groups to retrieve a keytab of this host.

host-find Search for hosts.

host-mod Modify information about a host.

host-remove-cert Remove certificates from host entry

host-remove-delegation Remove resource delegation from a host

host-remove-managedby Remove hosts that can manage this host.

host-remove-principal Remove principal alias from a host entry

host-show Display information about a host.

host-add

Usage: ipa [global-options] host-add HOSTNAME [options]

Add a new host.

Arguments

Argument Required Description

HOSTNAME yes Host name

Options

Option Description

--desc DESC A description of this host

--locality LOCALITY Host locality (e.g. “Baltimore, MD”)

--location LOCATION Host physical location hint (e.g. “Lab 2”)

--platform PLATFORM Host hardware platform (e.g. “Lenovo T61”)

--os OS Host operating system and version (e.g. “Fedora 9”)

--password PASSWORD Password used in bulk enrollment

--random Generate a random password to be used in bulk enrollment

--certificate CERTIFICATE Base-64 encoded host certificate

--macaddress MACADDRESS Hardware MAC address(es) on this host

--sshpubkey SSHPUBKEY SSH public key

--class CLASS Host category (semantics placed on this attribute are for local interpretation)

--auth-ind AUTH-IND Defines an allow list for Authentication Indicators. Use ‘otp’ to allow OTP-based 2FA authentications. Use ‘radius’ to allow RADIUS-based 2FA authentications. Use ‘pkinit’ to allow PKINIT-based 2FA authentications. Use ‘hardened’ to allow brute-force hardened password authentication by SPAKE or FAST. Use ‘idp’ to allow External Identity Provider authentications. Use ‘passkey’ to allow passkey-based 2FA authentications. With no indicator specified, all authentication mechanisms are allowed.

--requires-pre-auth REQUIRES-PRE-AUTH Pre-authentication is required for the service

--ok-as-delegate OK-AS-DELEGATE Client credentials may be delegated to the service

--ok-to-auth-as-delegate OK-TO-AUTH-AS-DELEGATE The service is allowed to authenticate on behalf of a client

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--force force host name even if not in DNS

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to add

--groups GROUPS groups to add

--hosts HOSTS hosts to add

`--hostgroups HOSTGROUPS` host groups to add

host-allow-create-keytab

Usage: ipa [global-options] host-allow-create-keytab HOSTNAME [options]

Allow users, groups, hosts or host groups to create a keytab of this host.

Arguments

Argument Required Description

HOSTNAME yes Host name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to add

--groups GROUPS groups to add

--hosts HOSTS hosts to add

`--hostgroups HOSTGROUPS` host groups to add

host-allow-retrieve-keytab

Usage: ipa [global-options] host-allow-retrieve-keytab HOSTNAME [options]

Allow users, groups, hosts or host groups to retrieve a keytab of this host.

Arguments

Argument Required Description

HOSTNAME yes Host name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to add

--groups GROUPS groups to add

--hosts HOSTS hosts to add

`--hostgroups HOSTGROUPS` host groups to add

host-del

Usage: ipa [global-options] host-del HOSTNAME [options]

Delete a host.

Arguments

Argument Required Description

HOSTNAME yes Host name

Options

Option Description

--continue Continuous mode: Don’t stop on errors.

`--updatedns` Remove A, AAAA, SSHFP and PTR records of the host(s) managed by IPA DNS

host-disable

Usage: ipa [global-options] host-disable HOSTNAME [options]

Disable the Kerberos key, SSL certificate and all services of a host.

Arguments

Argument Required Description

HOSTNAME yes Host name

host-disallow-add-delegation

Usage: ipa [global-options] host-disallow-add-delegation HOSTNAME [options]

Disallow users, groups, hosts or host groups to handle a resource delegation of this host.

Arguments

Argument Required Description

HOSTNAME yes Host name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to remove

--groups GROUPS groups to remove

--hosts HOSTS hosts to remove

`--hostgroups HOSTGROUPS` host groups to remove

host-disallow-create-keytab

Usage: ipa [global-options] host-disallow-create-keytab HOSTNAME [options]

Disallow users, groups, hosts or host groups to create a keytab of this host.

Arguments

Argument Required Description

HOSTNAME yes Host name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to remove

--groups GROUPS groups to remove

--hosts HOSTS hosts to remove

`--hostgroups HOSTGROUPS` host groups to remove

host-disallow-retrieve-keytab

Usage: ipa [global-options] host-disallow-retrieve-keytab HOSTNAME [options]

Disallow users, groups, hosts or host groups to retrieve a keytab of this host.

Arguments

Argument Required Description

HOSTNAME yes Host name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to remove

--groups GROUPS groups to remove

--hosts HOSTS hosts to remove

`--hostgroups HOSTGROUPS` host groups to remove

host-find

Usage: ipa [global-options] host-find [CRITERIA] [options]

Search for hosts.

Arguments

Argument Required Description

CRITERIA no A string searched in all relevant object attributes

Options

Option Description

--hostname HOSTNAME Host name

--desc DESC A description of this host

--locality LOCALITY Host locality (e.g. “Baltimore, MD”)

--location LOCATION Host physical location hint (e.g. “Lab 2”)

--platform PLATFORM Host hardware platform (e.g. “Lenovo T61”)

--os OS Host operating system and version (e.g. “Fedora 9”)

--certificate CERTIFICATE Base-64 encoded host certificate

--macaddress MACADDRESS Hardware MAC address(es) on this host

--class CLASS Host category (semantics placed on this attribute are for local interpretation)

--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)

--sizelimit SIZELIMIT Maximum number of entries returned (0 is unlimited)

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--pkey-only Results should contain primary key attribute only (“hostname”)

--in-hostgroups IN-HOSTGROUPS Search for hosts with these member of host groups.

--not-in-hostgroups NOT-IN-HOSTGROUPS Search for hosts without these member of host groups.

--in-netgroups IN-NETGROUPS Search for hosts with these member of netgroups.

--not-in-netgroups NOT-IN-NETGROUPS Search for hosts without these member of netgroups.

--in-roles IN-ROLES Search for hosts with these member of roles.

--not-in-roles NOT-IN-ROLES Search for hosts without these member of roles.

--in-hbacrules IN-HBACRULES Search for hosts with these member of HBAC rules.

--not-in-hbacrules NOT-IN-HBACRULES Search for hosts without these member of HBAC rules.

--in-sudorules IN-SUDORULES Search for hosts with these member of sudo rules.

--not-in-sudorules NOT-IN-SUDORULES Search for hosts without these member of sudo rules.

--enroll-by-users ENROLL-BY-USERS Search for hosts with these enrolled by users.

--not-enroll-by-users NOT-ENROLL-BY-USERS Search for hosts without these enrolled by users.

--man-by-hosts MAN-BY-HOSTS Search for hosts with these managed by hosts.

--not-man-by-hosts NOT-MAN-BY-HOSTS Search for hosts without these managed by hosts.

--man-hosts MAN-HOSTS Search for hosts with these managing hosts.

`--not-man-hosts NOT-MAN-HOSTS` Search for hosts without these managing hosts.

host-mod

Usage: ipa [global-options] host-mod HOSTNAME [options]

Modify information about a host.

Arguments

Argument Required Description

HOSTNAME yes Host name

Options

Option Description

--desc DESC A description of this host

--locality LOCALITY Host locality (e.g. “Baltimore, MD”)

--location LOCATION Host physical location hint (e.g. “Lab 2”)

--platform PLATFORM Host hardware platform (e.g. “Lenovo T61”)

--os OS Host operating system and version (e.g. “Fedora 9”)

--password PASSWORD Password used in bulk enrollment

--random Generate a random password to be used in bulk enrollment

--certificate CERTIFICATE Base-64 encoded host certificate

--krbprincipalname KRBPRINCIPALNAME Principal alias

--macaddress MACADDRESS Hardware MAC address(es) on this host

--sshpubkey SSHPUBKEY SSH public key

--class CLASS Host category (semantics placed on this attribute are for local interpretation)

--requires-pre-auth REQUIRES-PRE-AUTH Pre-authentication is required for the service

--ok-as-delegate OK-AS-DELEGATE Client credentials may be delegated to the service

--ok-to-auth-as-delegate OK-TO-AUTH-AS-DELEGATE The service is allowed to authenticate on behalf of a client

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--delattr DELATTR Delete an attribute/value pair. The option will be evaluated

Option Description

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--out OUT file to store certificate in

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

Overview

Host Enrollment Scenarios

Full Administrator Enrollment

Limited Administrator Enrollment

One-Time Password (OTP) Enrollment

Re-Enrollment and Host Recovery

Host Metadata and Attributes

SSH Public Key Management

Certificate Management

Managed-By Relationships

Keytab Delegation

DNS Integration

Resource Delegation

Examples

Basic Host Management

One-Time Password Enrollment

Host Modification

SSH Key Management

Certificate Management

Host Disablement and Recovery

Managed-By Relationships

Keytab Delegation

Resource Delegation

Advanced Queries

Best Practices

Host Lifecycle Management

Enrollment Strategy

SSH Key Management

Certificate Management

Delegation and Access Control

Security Considerations

Integration with Other IPA Components

Host Groups

Service Principals

HBAC Rules

Sudo Rules

DNS

Automember Rules

Locations

Commands

host-show Display information about a host.

host-add

Arguments

Options

--no-members Suppress processing of membership attributes.

host-add-cert

Arguments

Options

--certificate CERTIFICATE Base-64 encoded host certificate

host-add-delegation

Arguments

PRINCIPAL yes Delegation principal

Options

--no-members Suppress processing of membership attributes.

host-add-managedby

Arguments

Options

--hosts HOSTS hosts to add

host-add-principal

Arguments

KRBPRINCIPALNAME yes Principal alias

Options

--no-members Suppress processing of membership attributes.

host-allow-add-delegation

Arguments

Options

--hostgroups HOSTGROUPS host groups to add

host-allow-create-keytab

Arguments

Options

--hostgroups HOSTGROUPS host groups to add

host-allow-retrieve-keytab

Arguments

Options

--hostgroups HOSTGROUPS host groups to add

host-del

Arguments

Options

--updatedns Remove A, AAAA, SSHFP and PTR records of the host(s) managed by IPA DNS

`--no-members` Suppress processing of membership attributes.

`--certificate CERTIFICATE` Base-64 encoded host certificate

`PRINCIPAL` yes Delegation principal

`--no-members` Suppress processing of membership attributes.

`--hosts HOSTS` hosts to add

`KRBPRINCIPALNAME` yes Principal alias

`--no-members` Suppress processing of membership attributes.

`--hostgroups HOSTGROUPS` host groups to add

`--hostgroups HOSTGROUPS` host groups to add

`--hostgroups HOSTGROUPS` host groups to add

`--updatedns` Remove A, AAAA, SSHFP and PTR records of the host(s) managed by IPA DNS

`--hostgroups HOSTGROUPS` host groups to remove

`--hostgroups HOSTGROUPS` host groups to remove

`--hostgroups HOSTGROUPS` host groups to remove

`--not-man-hosts NOT-MAN-HOSTS` Search for hosts without these managing hosts.

`--no-members` Suppress processing of membership attributes.

`--certificate CERTIFICATE` Base-64 encoded host certificate

`PRINCIPAL` yes Delegation principal

`--no-members` Suppress processing of membership attributes.

`--hosts HOSTS` hosts to remove

`KRBPRINCIPALNAME` yes Principal alias

`--no-members` Suppress processing of membership attributes.

`--no-members` Suppress processing of membership attributes.