Host Management
Manage host entries for enrolled machines and servers. Hosts store service principals, participate in host-based access control rules, and can be organized into host groups. Features include enrollment with one-time passwords, SSH key management, certificate management, DNS integration, location assignment, and support for various enrollment scenarios including full and limited administrator workflows.
Overview
Hosts in FreeIPA represent physical or virtual machines enrolled in the IPA domain. Each host entry serves multiple critical functions within the identity management infrastructure: storing Kerberos service principals for authentication, participating in host-based access control policies, providing a foundation for service registration, and maintaining security credentials including SSH keys and X.509 certificates.
Every enrolled IPA client automatically generates a host entry during the enrollment process. These entries persist in the directory even if the physical machine is decommissioned, maintaining historical records and configuration state. Host entries can be pre-created before physical enrollment to support various deployment workflows including one-time password enrollment and delegated administration scenarios.
Hosts participate extensively in IPA’s security model. The host entry stores the host’s Kerberos principal (host/hostname@REALM), enabling mutual authentication between clients and servers. Service principals for applications running on the host are associated with the host entry, creating clear ownership relationships. Host-based access control rules reference hosts and host groups to define which users can access which systems, forming a critical component of IPA’s authorization framework.
Host Enrollment Scenarios
Full Administrator Enrollment
Full administrators (members of the “admins” group or “hostadmin” role) can enroll hosts without restrictions. They can create new host entries during enrollment or enroll against existing entries. This enrollment mode provides maximum flexibility, allowing administrators to enroll hosts without pre-planning or coordination.
When a full administrator enrolls a host, IPA automatically creates the host entry if it doesn’t exist, generates Kerberos keys, and establishes the machine’s identity within the domain. The enrollment process retrieves a TGT for the host principal, configures SSSD for identity lookups, and integrates the system into IPA’s authentication and authorization infrastructure.
Full administrators can override DNS validation, force enrollment of hosts with names not resolvable in DNS, and specify custom attributes during enrollment. This flexibility supports diverse deployment scenarios including isolated networks, lab environments, and migration from other identity systems.
Limited Administrator Enrollment
Limited administrators hold the “Host Enrollment” privilege through role assignment but lack full administrative access. These users can enroll hosts but only against pre-existing host entries created by full administrators. This enrollment model supports delegated deployment workflows where central IT creates host entries and delegates actual enrollment to remote administrators or automated systems.
The limited administrator workflow requires coordination: a full administrator first creates the host entry (potentially with a one-time password), then the limited administrator enrolls the physical machine against that pre-created entry. This separation of duties ensures central IT maintains awareness of all enrolled hosts while distributing enrollment workload.
Limited administrators cannot modify host attributes beyond those affected by enrollment (Kerberos keys, enrollment metadata). They cannot delete hosts, change DNS integration settings, or modify access control delegation. This restricted privilege set enables safe delegation without compromising security boundaries.
One-Time Password (OTP) Enrollment
One-time password enrollment enables automated or delegated enrollment without persistent administrative credentials. A full administrator creates the host entry with either a specified password (--password) or a randomly generated password (--random). This password is valid for a single enrollment attempt and cannot be reused.
OTP enrollment suits several deployment scenarios: provisioning systems with configuration management tools (Ansible, Puppet, Chef), enabling self-service enrollment workflows, or delegating enrollment to users who should not have persistent administrative privileges. The OTP is typically transmitted to the enrollment agent through secure channels (encrypted email, configuration management secrets, administrator portal).
After successful enrollment using an OTP, the password is invalidated and cannot be used again. If enrollment fails, the OTP remains valid for retry attempts until successful enrollment occurs. Administrators can reset or change the OTP using host-mod --password or host-mod --random.
Re-Enrollment and Host Recovery
Hosts that were previously enrolled but lost their configuration can be re-enrolled without deleting and recreating the host entry. Common re-enrollment scenarios include virtual machine reversion to snapshots, operating system reinstallation, or container recreation. Re-enrollment preserves historical metadata, service principal associations, and policy memberships while regenerating authentication credentials.
Re-enrollment requires the same privilege level as initial enrollment: full administrators can re-enroll directly, while limited administrators or OTP-based re-enrollment requires the host entry to be prepared by a full administrator. Before re-enrolling, administrators often use host-disable to revoke the host’s existing Kerberos keys and certificates, ensuring old credentials cannot be used even if they were compromised.
The re-enrollment process regenerates the host’s Kerberos keytab and enrolls certificates if configured, but retains group memberships, HBAC rule associations, managed-by relationships, and service principals. This continuity ensures that access control policies and service configurations remain consistent across the re-enrollment event.
Host Metadata and Attributes
Host entries can store descriptive metadata beyond core authentication and authorization attributes. This metadata supports asset management, deployment tracking, and operational documentation:
- Description: Free-text description of the host’s purpose or role
- Locality: Geographic location (city, state, country)
- Location: Physical location hint (building, floor, rack)
- Platform: Hardware platform information (manufacturer, model)
- Operating System: OS version and distribution
- MAC Addresses: Network hardware addresses for the host’s interfaces
This metadata is optional but valuable for operational workflows. Location information can inform load balancing decisions or support compliance requirements for data residency. Platform and OS information aids patch management and vulnerability tracking. IPA does not automatically update this metadata; administrators must maintain it through host-mod commands or integration with asset management systems.
SSH Public Key Management
IPA hosts can store SSH public keys that are distributed to other IPA clients for SSH host key verification. This integration replaces or supplements traditional SSH known_hosts management, providing centralized distribution of host public keys across the domain.
When an IPA client’s SSH daemon generates host keys, those public keys can be published to the host entry in IPA. Other IPA clients running SSSD configured for SSH integration retrieve these public keys and use them to verify the host’s identity during SSH connections. This prevents man-in-the-middle attacks and eliminates the trust-on-first-use security gap in traditional SSH deployments.
SSH key management commands (host-mod --sshpubkey) support adding multiple keys for hosts with multiple key types (RSA, ECDSA, Ed25519). Keys can be removed by setting an empty value (--sshpubkey=). When combined with --updatedns, IPA can automatically publish SSH fingerprints to DNS SSHFP records for additional verification mechanisms.
Certificate Management
Host entries serve as the subject for X.509 certificates issued by IPA’s integrated certificate authority. Certificates are used for various purposes including TLS/SSL services, host authentication, and smart card login to the system itself (if configured).
Certificates are associated with host entries through several mechanisms: automatic enrollment during ipa-client-install, explicit requests using ipa-getcert, or manual addition using host-add-cert. Host certificates use the host’s principal name as the subject, ensuring the certificate identity matches the Kerberos identity.
IPA tracks certificate lifecycle including issuance, renewal, and revocation. Certificates approaching expiration can be automatically renewed through certmonger integration on IPA clients. When a host is disabled using host-disable, its certificates are revoked, immediately invalidating any TLS connections or authentication attempts using those certificates.
Multiple certificates can be associated with a single host entry, supporting scenarios where different services or interfaces require distinct certificates. Certificate management operations require appropriate privileges: host owners (through managed-by relationships) can manage certificates for their hosts, or specific users can be granted certificate management delegation.
Managed-By Relationships
The managed-by mechanism enables hosts to manage other hosts’ credentials and certificates. This delegation supports clustered applications, load balancers, and orchestration systems that need to manage credentials for multiple backend hosts without full administrative privileges.
When host A is designated as managed-by for host B, host B can retrieve and regenerate host A’s keytab and manage host A’s certificates. This relationship is used in scenarios like:
- Load balancers managing backend server certificates
- Cluster managers provisioning member node credentials
- Monitoring systems deploying credentials to managed hosts
Managed-by relationships are directional and require explicit configuration. The relationship does not grant broad administrative access; delegated hosts can only perform specific credential and certificate operations on the hosts they manage.
Keytab Delegation
Keytab delegation controls which users, groups, or hosts can create or retrieve a host’s Kerberos keytab without being full administrators. This fine-grained delegation supports automated deployment systems and delegated administration workflows.
Two distinct permissions can be delegated:
- Create Keytab: Generate a new keytab, invalidating existing keytabs
- Retrieve Keytab: Retrieve the current keytab without regeneration
Creating a keytab regenerates the Kerberos keys, invalidating all existing keytabs for that principal. This operation should be restricted to trusted automation or recovery workflows. Retrieving a keytab accesses current keys without regeneration, supporting scenarios where multiple systems need the same keytab (though this is generally discouraged in security-conscious environments).
Delegation can target individual users, groups of users, specific hosts, or host groups. This flexibility enables both personal delegation (“alice can create keytabs for hosts in her lab”) and systemic delegation (“the provisioning cluster can create keytabs for all compute nodes”).
DNS Integration
IPA can optionally integrate host entries with DNS, automatically creating and maintaining DNS records for enrolled hosts. When adding a host with --ip-address, IPA creates corresponding A (IPv4) or AAAA (IPv6) records in DNS. The --updatedns flag with host-mod updates DNS records when host attributes change, and with host-del removes DNS records when the host is deleted.
DNS integration supports both forward and reverse lookups. IPA automatically creates PTR records for reverse resolution when forward records are created with IP addresses. This bidirectional DNS configuration supports services that validate reverse DNS for security (SSH, Kerberos, many network protocols).
SSHFP records can be automatically published to DNS when SSH public keys are stored in the host entry. These DNS records provide an additional verification mechanism for SSH host key validation, enabling DNS-based trust rather than relying solely on IPA’s SSH key distribution.
The --force flag bypasses DNS validation during host creation, allowing hosts to be added even if they don’t have DNS records. The --no-reverse flag disables reverse DNS lookups during validation. These options support scenarios where DNS is not yet configured or hosts are in isolated network segments.
Resource Delegation
Resource delegation enables hosts to delegate specific Kerberos authentication operations to services running on those hosts. This advanced feature supports constrained delegation scenarios where a service needs to authenticate to backend resources on behalf of users without requiring the user’s full credentials.
Delegation is configured through host-add-delegation and host-remove-delegation commands, specifying which principals can receive delegated credentials. Delegation targets are typically service principals representing backend resources the host’s services need to access.
Access to configure delegation can itself be delegated through host-allow-add-delegation and host-disallow-add-delegation, enabling users, groups, or other hosts to manage delegation configuration without full host administrative privileges.
Use Cases
Automated Infrastructure Provisioning
Scenario: Configuration management system (Ansible, Terraform) provisions 100 servers monthly.
Solution:
# Ansible playbook creates hosts with OTP
- name: Pre-create IPA host entry
ipa_host:
name: "{{ inventory_hostname }}"
random: yes
state: present
ip_address: "{{ ansible_default_ipv4.address }}"
register: ipa_otp
# Enroll with OTP during provisioning
- name: Enroll in IPA
command: ipa-client-install --password="{{ ipa_otp.host.randompassword }}" --unattended
Load Balancer Certificate Management
Scenario: HAProxy load balancer needs to manage backend server TLS certificates.
Solution:
# Establish managed-by relationship
ipa host-add-managedby web01.example.com --hosts=haproxy.example.com
ipa host-add-managedby web02.example.com --hosts=haproxy.example.com
# HAProxy can now retrieve/regenerate backend certificates
# From haproxy.example.com:
ipa-getcert request -k /etc/pki/web01.key -f /etc/pki/web01.crt \
-N CN=web01.example.com -K host/web01.example.com@EXAMPLE.COM
Remote Site Delegated Enrollment
Scenario: Regional offices enroll local servers without full IPA admin access.
Solution:
# Central IT creates enrollment role
ipa role-add regional-enrollment --desc "Regional server enrollment"
ipa role-add-privilege regional-enrollment --privileges="Host Enrollment"
# Grant role to regional admin
ipa role-add-member regional-enrollment --users=alice@emea.example.com
# Central IT pre-creates hosts
ipa host-add --random emea-web01.example.com
# Regional admin enrolls
# (as alice) ipa-client-install on emea-web01
Decommissioned Server Cleanup
Scenario: Monthly cleanup of decommissioned servers and stale host entries.
Solution:
# Find hosts not enrolled in past 180 days
ipa host-find --pkey-only | while read hostname; do
last_init=$(ipa host-show $hostname --all | grep "Last init")
# Parse date, if older than 180 days:
ipa host-show $hostname
# Manual review, then:
ipa host-del $hostname --updatedns
done
Container Orchestration with Managed-By
Scenario: Kubernetes nodes managed by control plane for certificate distribution.
Solution:
# Enroll control plane and worker nodes
for node in k8s-control k8s-worker{1..10}; do
ipa host-add $node.example.com
done
# Grant control plane management of worker nodes
for worker in k8s-worker{1..10}; do
ipa host-add-managedby ${worker}.example.com --hosts=k8s-control.example.com
done
# Control plane can now deploy certificates to workers
SSH Public Key Distribution
Scenario: Eliminate SSH trust-on-first-use warnings across 1000+ hosts.
Solution:
# Publish host keys to IPA during provisioning
for keytype in rsa ecdsa ed25519; do
ipa host-mod server01.example.com \
--sshpubkey="$(cat /etc/ssh/ssh_host_${keytype}_key.pub)" \
--updatedns # Publishes SSHFP DNS records
done
# SSSD clients automatically retrieve and trust host keys
# /etc/ssh/ssh_config or sshd_config configured for:
# GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
Multi-Region Deployment with Location Awareness
Scenario: Global infrastructure with region-specific host organization.
Solution:
# Create locations
ipa location-add us-east --desc "US East Coast"
ipa location-add eu-west --desc "EU West"
# Add hosts with location metadata
ipa host-add web01.us.example.com --location=us-east --locality="Virginia"
ipa host-add web01.eu.example.com --location=eu-west --locality="Dublin"
# Location-aware HBAC/sudo rules can reference these attributes
ipa hbacrule-add us-access
ipa hbacrule-add-host us-access --hosts='*.us.example.com'
Certificate-Based Host Authentication with Smart Cards
Scenario: High-security environment requiring host certificate authentication.
Solution:
# Request host certificate from IPA CA
ipa-getcert request -f /etc/pki/host.crt -k /etc/pki/host.key \
-N CN=secure01.example.com -K host/secure01.example.com@EXAMPLE.COM
# Certificate automatically associated with host entry
ipa host-show secure01.example.com --all | grep -i certificate
# Configure services to use host certificate for mutual TLS
Examples
Basic Host Management
Add a host with descriptive metadata:
ipa host-add --location="3rd floor lab" --locality="Dallas" --platform="Dell R640" --os="Rocky Linux 9" web01.example.com
Add a host with DNS integration (creates A record):
ipa host-add --ip-address=192.168.1.100 web02.example.com
Add a host bypassing DNS validation (for pre-DNS provisioning):
ipa host-add --force app01.example.com
Delete a host:
ipa host-del web01.example.com
Delete a host and remove DNS records:
ipa host-del --updatedns web02.example.com
Display comprehensive host information:
ipa host-show web01.example.com --all
Search for hosts matching a pattern:
ipa host-find web
Search for hosts in a specific location:
ipa host-find --location="3rd floor lab"
One-Time Password Enrollment
Create a host with a specified OTP for later enrollment:
ipa host-add --password=SecureOTP123 app01.example.com
Create a host with a randomly generated OTP:
ipa host-add --random app02.example.com
Reset OTP for a host that failed enrollment:
ipa host-mod --random app01.example.com
Host Modification
Update host metadata:
ipa host-mod --os="Rocky Linux 9.3" --location="4th floor lab" web01.example.com
Update host description:
ipa host-mod --desc="Production web server" web01.example.com
Add MAC address information:
ipa host-mod --macaddress=00:11:22:33:44:55 web01.example.com
Change host principal alias:
ipa host-add-principal web01.example.com host/web-legacy.example.com@EXAMPLE.COM
Remove principal alias:
ipa host-remove-principal web01.example.com host/web-legacy.example.com@EXAMPLE.COM
SSH Key Management
Add SSH public key to host entry:
ipa host-mod --sshpubkey="ssh-rsa AAAAB3Nza..." web01.example.com
Update SSH keys and publish to DNS SSHFP records:
ipa host-mod --sshpubkey="ssh-ed25519 AAAAC3Nza..." --updatedns web01.example.com
Remove all SSH keys from host:
ipa host-mod --sshpubkey= web01.example.com
Certificate Management
Add a certificate to host entry:
ipa host-add-cert web01.example.com --certificate="MIIDXTCCAkWgAwIBAgI..."
Remove a certificate:
ipa host-remove-cert web01.example.com --certificate="MIIDXTCCAkWgAwIBAgI..."
Export host certificate to file:
ipa host-show web01.example.com --out=web01.crt
Host Disablement and Recovery
Disable host (revokes Kerberos keys, certificates, and all service keys):
ipa host-disable web01.example.com
Re-enable host by re-enrolling:
# On the host itself:
ipa-client-install --force-join
Managed-By Relationships
Allow another host to manage this host’s keytab and certificates:
ipa host-add-managedby --hosts=loadbalancer.example.com web01.example.com
Remove managed-by relationship:
ipa host-remove-managedby --hosts=loadbalancer.example.com web01.example.com
Show which hosts can manage a specific host:
ipa host-show web01.example.com --all | grep -i managed
Keytab Delegation
Allow a user to create keytabs for a host:
ipa host-allow-create-keytab web01.example.com --users=sysadmin
Allow a group to create keytabs for a host:
ipa host-allow-create-keytab web01.example.com --groups=operations
Allow specific hosts to create keytabs (for orchestration scenarios):
ipa host-allow-create-keytab web01.example.com --hosts=provisioner.example.com
Allow host groups to create keytabs:
ipa host-allow-create-keytab web01.example.com --hostgroups=automation_servers
Revoke keytab creation permission:
ipa host-disallow-create-keytab web01.example.com --users=sysadmin
Allow keytab retrieval without regeneration:
ipa host-allow-retrieve-keytab web01.example.com --users=backupoperator
Revoke keytab retrieval permission:
ipa host-disallow-retrieve-keytab web01.example.com --users=backupoperator
Resource Delegation
Add resource delegation for constrained delegation scenarios:
ipa host-add-delegation web01.example.com HTTP/backend.example.com@EXAMPLE.COM
Remove resource delegation:
ipa host-remove-delegation web01.example.com HTTP/backend.example.com@EXAMPLE.COM
Delegate management of resource delegation to a user:
ipa host-allow-add-delegation web01.example.com --users=webadmin
Revoke delegation management:
ipa host-disallow-add-delegation web01.example.com --users=webadmin
Advanced Queries
Find hosts enrolled by a specific user:
ipa host-find --enroll-by-users=admin
Find hosts in specific host groups:
ipa host-find --in-hostgroups=webservers
Find hosts used in HBAC rules:
ipa host-find --in-hbacrules=allow_ssh
Find hosts managed by a specific host:
ipa host-find --man-by-hosts=provisioner.example.com
Best Practices
Host Lifecycle Management
Pre-create hosts before enrollment for controlled environments: In production environments, pre-create host entries with appropriate metadata and OTP before physical deployment. This provides inventory visibility and enforces approval workflows.
Use descriptive metadata for asset tracking: Consistently populate location, platform, and OS fields. This metadata supports operational workflows including patch management, capacity planning, and incident response.
Maintain DNS integration: Enable --updatedns for host modifications and deletions to keep DNS synchronized with host inventory. Inconsistent DNS causes authentication failures and service disruption.
Regularly audit and clean up stale hosts: Hosts that are decommissioned should be either deleted or at minimum disabled. Stale host entries clutter the directory and can represent security risks if their credentials are compromised.
Enrollment Strategy
Use OTP enrollment for automation: Configuration management systems (Ansible, Puppet, Terraform) should use OTP-based enrollment rather than storing persistent administrative credentials. Generate OTPs programmatically and inject them into provisioning workflows.
Delegate enrollment to limited administrators for remote sites: Grant the “Host Enrollment” privilege to site administrators rather than full admin access. Pre-create hosts centrally, then delegate enrollment to local staff.
Disable hosts before re-enrollment: When re-enrolling a host, first disable it to revoke existing credentials. This prevents old credentials from being used if they were compromised or copied before re-enrollment.
Document enrollment procedures: Maintain runbooks for standard enrollment scenarios including first-time enrollment, re-enrollment, and recovery from enrollment failures.
SSH Key Management
Publish SSH keys to IPA for centralized trust: Configure SSH daemons to publish host keys to IPA and configure clients to retrieve them. This eliminates trust-on-first-use vulnerabilities and provides centralized key management.
Enable DNS SSHFP records: Use --updatedns when managing SSH keys to publish SSHFP records. This provides defense-in-depth for SSH host verification.
Rotate SSH host keys periodically: While not required, rotating host SSH keys (and updating IPA) limits exposure if older keys were compromised. Update IPA entries after rotation.
Certificate Management
Use certmonger for automated certificate lifecycle: IPA clients should use certmonger to request, track, and automatically renew certificates. This prevents certificate expiration outages.
Leverage IPA CA for internal certificates: Use IPA’s integrated CA for internal service certificates rather than self-signed certificates or external CAs. This provides automated enrollment, renewal, and revocation.
Revoke certificates when disabling hosts: host-disable automatically revokes certificates, but administrators should verify revocation when decommissioning hosts to prevent unauthorized use of old certificates.
Delegation and Access Control
Use managed-by for clustered applications: Load balancers, container orchestrators, and cluster managers should use managed-by relationships rather than full administrative credentials to manage member host certificates and keytabs.
Minimize keytab creation delegation: Creating keytabs regenerates keys and invalidates existing keytabs. This privilege should be granted sparingly and primarily to trusted automation systems.
Prefer keytab retrieval over creation for multi-system scenarios: If multiple systems need the same keytab (generally discouraged), use retrieve delegation rather than create delegation to avoid inadvertent key regeneration.
Document delegation relationships: Maintain clear records of which users, groups, or hosts have delegation privileges for each host. This aids security audits and troubleshooting.
Protect OTPs: One-time passwords are sensitive credentials. Transmit them through secure channels and ensure they are not logged or stored persistently in configuration management systems after use.
Monitor enrollment activity: Regularly review enrollment logs to detect unauthorized enrollment attempts or unusual patterns that might indicate compromise.
Limit full administrative enrollment: Reserve full admin enrollment capabilities for trusted administrators. Use limited administrator delegation or OTP enrollment for operational deployments.
Audit managed-by and delegation privileges: These relationships grant significant control over host credentials. Regularly audit and prune unnecessary delegation to maintain least privilege.
Security Considerations
OTP credential protection: One-time passwords provide full host enrollment authorization. Treat OTPs with same security as root passwords. Transmit via encrypted channels, never log or commit to version control, and rotate if exposure suspected.
Enrollment privilege escalation risk: Host enrollment with full admin rights allows creating arbitrary host entries. Malicious admin could create privileged host entries for later compromise. Use limited administrator enrollment where possible.
Managed-by delegation grants credential access: Hosts designated as managers can retrieve and regenerate keytabs for managed hosts. Compromise of manager host compromises all managed hosts. Minimize managed-by relationships and audit regularly.
Keytab creation invalidates existing keytabs: Granting keytab creation permission to users/hosts enables them to break existing services by regenerating keys. This privilege enables denial-of-service. Restrict to trusted automation only.
Disabled hosts retain directory presence: host-disable revokes Kerberos keys and certificates but preserves host entry and metadata. Sensitive metadata (location, platform) remains visible. Delete hosts containing sensitive metadata rather than just disabling.
Stale host entries enable credential theft: Decommissioned but not deleted hosts retain their host principal. If old backups contain host keytabs, attackers could use them if host not disabled/deleted. Always disable or delete decommissioned hosts promptly.
Certificate authority compromise via host certificates: Host certificates issued by IPA CA can potentially be abused for TLS interception if private keys compromised. Rotate host certificates periodically and revoke immediately upon host compromise.
SSH key injection risk: Users with host modification privileges can inject SSH public keys into host entries. Via SSSD’s SSH integration, this could enable unauthorized root access. Restrict host modification permissions carefully.
DNS integration security: Hosts with --updatedns permission can modify their own DNS records. Malicious host could hijack DNS for services. Use DNS update policy to restrict which hosts can update which records.
Resource delegation enables ticket forging: S4U2Proxy delegation allows hosts to obtain service tickets on behalf of users. Misconfigured delegation could enable privilege escalation. Review delegation configurations carefully.
Kerberos key material visibility: Users with keytab retrieval permissions can extract Kerberos keys, enabling offline password cracking if weak service principals used. Ensure service principal passwords are strong/random.
Host enrollment reveals infrastructure topology: Host metadata (location, platform, OS version) is visible to authenticated users. In high-security environments, this information disclosure could aid reconnaissance. Limit metadata detail to operational necessity.
Troubleshooting
Enrollment fails with “host already enrolled”:
# Symptom: ipa-client-install fails stating host already enrolled
# On IPA server, check if host exists
ipa host-show problematic-host.example.com
# If host exists from prior enrollment, disable and re-enroll
ipa host-disable problematic-host.example.com
# On client, force re-enrollment
ipa-client-install --force-join
Enrollment fails with DNS resolution errors:
# Symptom: "Unable to resolve host name"
# Verify DNS resolution
dig problematic-host.example.com
dig -x <IP-address> # Reverse lookup
# If DNS unavailable, bypass with --force
ipa host-add --force problematic-host.example.com
# Note: --force disables DNS checks but may cause service issues
Enrollment with OTP fails with “invalid password”:
# Verify host exists and OTP is set
ipa host-show enrollment-host.example.com --all | grep -i password
# If "User password" attribute missing, OTP not set
ipa host-mod --random enrollment-host.example.com
# Retry enrollment with new OTP
Host cannot obtain Kerberos tickets:
# Verify host keytab exists and is valid
klist -kt /etc/krb5.keytab
# Test kinit with host principal
kinit -kt /etc/krb5.keytab host/$(hostname)@REALM
# If kinit fails, keytab likely out of sync
# On IPA server:
ipa host-disable hostname.example.com
# On client:
ipa-client-install --force-join
Service principal fails with “key version number mismatch”:
# Symptom: Service fails with KVNO (Key Version Number) error
# Check current KVNO
kvno host/hostname.example.com@REALM
# Keytab likely regenerated without updating service
# Retrieve new keytab
ipa-getkeytab -s ipa.example.com -p host/hostname.example.com \
-k /etc/krb5.keytab
# Restart service using the keytab
systemctl restart <service>
Cannot delete host due to dependencies:
# Symptom: "host is managed by other hosts"
# Find what manages this host
ipa host-show problematic-host.example.com --all | grep -i "managed by"
# Remove managed-by relationships
ipa host-remove-managedby problematic-host.example.com \
--hosts=manager-host.example.com
# Retry deletion
ipa host-del problematic-host.example.com
SSH host key verification fails after enrollment:
# Symptom: SSH warns "REMOTE HOST IDENTIFICATION HAS CHANGED"
# Verify SSSD SSH integration enabled
grep -i ssh_known_hosts /etc/sssd/sssd.conf
# Check if host keys published to IPA
ipa host-show remote-host.example.com --all | grep -i ssh
# If keys missing, publish from remote host
ssh remote-host.example.com
sudo ipa host-mod $(hostname) \
--sshpubkey="$(cat /etc/ssh/ssh_host_rsa_key.pub)" \
--updatedns
# Clear local known_hosts and retry
ssh-keygen -R remote-host.example.com
Certificate requests fail with “host not found”:
# Symptom: ipa-getcert fails to request certificate
# Verify host entry exists
ipa host-show $(hostname)
# Verify certmonger can communicate with IPA
getcert list-cas
# If IPA CA missing, re-enroll client
ipa-client-install --force-join
Managed-by relationship not working:
# Symptom: Manager host cannot retrieve keytab for managed host
# Verify relationship exists
ipa host-show managed-host.example.com --all | grep -i "managed by"
# Verify manager host authenticated
# On manager host:
klist # Should show host/manager-host.example.com@REALM
# Test keytab retrieval
ipa-getkeytab -r -s ipa.example.com \
-p host/managed-host.example.com \
-k /tmp/test.keytab
# If permission denied, relationship may not be properly configured
ipa host-remove-managedby managed-host.example.com --hosts=manager-host.example.com
ipa host-add-managedby managed-host.example.com --hosts=manager-host.example.com
Host shows in multiple locations inconsistently:
# Symptom: Location attribute conflicts between IPA servers
# Check location on all IPA servers
for server in ipa1 ipa2 ipa3; do
echo "=== $server ==="
ssh $server "ipa host-show hostname.example.com | grep Location"
done
# If inconsistent, replication issue exists
# Force replication sync
ipa-replica-manage list
ipa-replica-manage force-sync --from=ipa1.example.com
# Verify consistency after sync
DNS records not updating with —updatedns:
# Verify DNS zone exists and is managed by IPA
ipa dnszone-show example.com
# Check if host has DNS update permissions
ipa dnsrecord-show example.com hostname
# Check DNS update policy
ipa dnszone-show example.com --all | grep -i "update policy"
# Manually add DNS record if auto-update fails
ipa dnsrecord-add example.com hostname --a-rec=192.168.1.10
# Update host without DNS next time
ipa host-mod hostname.example.com --ip-address=192.168.1.11
# (no --updatedns)
OTP enrollment succeeds but host cannot authenticate:
# Verify enrollment completed successfully
ipa host-show hostname.example.com --all | grep -i enrolled
# Check if keytab was created during enrollment
ls -l /etc/krb5.keytab
# Test keytab validity
kinit -kt /etc/krb5.keytab host/$(hostname)@REALM
klist
# If kinit fails, re-enroll
ipa-client-install --force-join
Keytab delegation not working for user:
# Verify delegation exists
ipa host-show hostname.example.com --all | grep -i "keytab"
# Check specific user delegation
ipa host-show hostname.example.com --all | \
grep -A5 "Users allowed to create keytab"
# Verify user authenticated
# (as delegated user)
klist
# Test keytab retrieval
ipa-getkeytab -s ipa.example.com -p host/hostname.example.com \
-k /tmp/test.keytab
# If permission denied, re-add delegation
ipa host-disallow-create-keytab hostname.example.com --users=username
ipa host-allow-create-keytab hostname.example.com --users=username
Integration with Other IPA Components
Host Groups
Hosts can be organized into host groups for collective management and policy application. Host groups appear in HBAC rules, sudo rules, and automember rules, enabling policy to target sets of hosts rather than individual machines.
Service Principals
Service principals (HTTP/, LDAP/, etc.) are associated with host entries. The host owns its service principals, and service management operations often require host-level permissions or delegation.
HBAC Rules
Host-based access control rules reference hosts and host groups to define which users can access which systems and services. Host enrollment and organization directly impact HBAC policy evaluation.
Sudo Rules
Sudo rules can target specific hosts or host groups, defining where privileged commands can be executed. Proper host organization enables granular sudo privilege delegation.
DNS
IPA’s integrated DNS can automatically manage forward and reverse records for enrolled hosts. This integration ensures DNS consistency and supports services requiring accurate DNS information.
Automember Rules
Automember rules can automatically populate host group membership based on host attributes. For example, all hosts in a specific location could automatically join a location-specific host group.
Locations
IPA topology locations can be assigned to hosts, enabling location-aware service discovery and replication. Hosts are assigned to locations through the location attribute or integration with topology management.
Commands
host-add
Usage: ipa [global-options] host-add HOSTNAME [options]
Add a new host.
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
Options
| Option | Description |
|---|---|
--desc DESC | A description of this host |
--locality LOCALITY | Host locality (e.g. “Baltimore, MD”) |
--location LOCATION | Host physical location hint (e.g. “Lab 2”) |
--platform PLATFORM | Host hardware platform (e.g. “Lenovo T61”) |
--os OS | Host operating system and version (e.g. “Fedora 9”) |
--password PASSWORD | Password used in bulk enrollment |
--random | Generate a random password to be used in bulk enrollment |
--certificate CERTIFICATE | Base-64 encoded host certificate |
--macaddress MACADDRESS | Hardware MAC address(es) on this host |
--sshpubkey SSHPUBKEY | SSH public key |
--class CLASS | Host category (semantics placed on this attribute are for local interpretation) |
--auth-ind AUTH-IND | Defines an allow list for Authentication Indicators. Use ‘otp’ to allow OTP-based 2FA authentications. Use ‘radius’ to allow RADIUS-based 2FA authentications. Use ‘pkinit’ to allow PKINIT-based 2FA authentications. Use ‘hardened’ to allow brute-force hardened password authentication by SPAKE or FAST. Use ‘idp’ to allow External Identity Provider authentications. Use ‘passkey’ to allow passkey-based 2FA authentications. With no indicator specified, all authentication mechanisms are allowed. |
--requires-pre-auth REQUIRES-PRE-AUTH | Pre-authentication is required for the service |
--ok-as-delegate OK-AS-DELEGATE | Client credentials may be delegated to the service |
--ok-to-auth-as-delegate OK-TO-AUTH-AS-DELEGATE | The service is allowed to authenticate on behalf of a client |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--force | force host name even if not in DNS |
--no-reverse | skip reverse DNS detection |
--ip-address IP-ADDRESS | Add the host to DNS with this IP address |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
host-add-cert
Usage: ipa [global-options] host-add-cert HOSTNAME [options]
Add certificates to host entry
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--certificate CERTIFICATE | Base-64 encoded host certificate |
host-add-delegation
Usage:
ipa [global-options] host-add-delegation HOSTNAME PRINCIPAL [options]
Add new resource delegation to a host
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
PRINCIPAL yes Delegation principal
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
host-add-managedby
Usage: ipa [global-options] host-add-managedby HOSTNAME [options]
Add hosts that can manage this host.
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--hosts HOSTS | hosts to add |
host-add-principal
Usage:
ipa [global-options] host-add-principal HOSTNAME KRBPRINCIPALNAME [options]
Add new principal alias to host entry
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
KRBPRINCIPALNAME yes Principal alias
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
host-allow-add-delegation
Usage:
ipa [global-options] host-allow-add-delegation HOSTNAME [options]
Allow users, groups, hosts or host groups to handle a resource delegation of this host.
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to add |
--groups GROUPS | groups to add |
--hosts HOSTS | hosts to add |
--hostgroups HOSTGROUPS | host groups to add |
host-allow-create-keytab
Usage:
ipa [global-options] host-allow-create-keytab HOSTNAME [options]
Allow users, groups, hosts or host groups to create a keytab of this host.
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to add |
--groups GROUPS | groups to add |
--hosts HOSTS | hosts to add |
--hostgroups HOSTGROUPS | host groups to add |
host-allow-retrieve-keytab
Usage:
ipa [global-options] host-allow-retrieve-keytab HOSTNAME [options]
Allow users, groups, hosts or host groups to retrieve a keytab of this host.
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to add |
--groups GROUPS | groups to add |
--hosts HOSTS | hosts to add |
--hostgroups HOSTGROUPS | host groups to add |
host-del
Usage: ipa [global-options] host-del HOSTNAME [options]
Delete a host.
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
Options
| Option | Description |
|---|---|
--continue | Continuous mode: Don’t stop on errors. |
--updatedns | Remove A, AAAA, SSHFP and PTR records of the host(s) managed by IPA DNS |
host-disable
Usage: ipa [global-options] host-disable HOSTNAME [options]
Disable the Kerberos key, SSL certificate and all services of a host.
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
host-disallow-add-delegation
Usage:
ipa [global-options] host-disallow-add-delegation HOSTNAME [options]
Disallow users, groups, hosts or host groups to handle a resource delegation of this host.
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to remove |
--groups GROUPS | groups to remove |
--hosts HOSTS | hosts to remove |
--hostgroups HOSTGROUPS | host groups to remove |
host-disallow-create-keytab
Usage:
ipa [global-options] host-disallow-create-keytab HOSTNAME [options]
Disallow users, groups, hosts or host groups to create a keytab of this host.
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to remove |
--groups GROUPS | groups to remove |
--hosts HOSTS | hosts to remove |
--hostgroups HOSTGROUPS | host groups to remove |
host-disallow-retrieve-keytab
Usage:
ipa [global-options] host-disallow-retrieve-keytab HOSTNAME [options]
Disallow users, groups, hosts or host groups to retrieve a keytab of this host.
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to remove |
--groups GROUPS | groups to remove |
--hosts HOSTS | hosts to remove |
--hostgroups HOSTGROUPS | host groups to remove |
host-find
Usage: ipa [global-options] host-find [CRITERIA] [options]
Search for hosts.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--hostname HOSTNAME | Host name |
--desc DESC | A description of this host |
--locality LOCALITY | Host locality (e.g. “Baltimore, MD”) |
--location LOCATION | Host physical location hint (e.g. “Lab 2”) |
--platform PLATFORM | Host hardware platform (e.g. “Lenovo T61”) |
--os OS | Host operating system and version (e.g. “Fedora 9”) |
--certificate CERTIFICATE | Base-64 encoded host certificate |
--macaddress MACADDRESS | Hardware MAC address(es) on this host |
--class CLASS | Host category (semantics placed on this attribute are for local interpretation) |
--auth-ind AUTH-IND | Defines an allow list for Authentication Indicators. Use ‘otp’ to allow OTP-based 2FA authentications. Use ‘radius’ to allow RADIUS-based 2FA authentications. Use ‘pkinit’ to allow PKINIT-based 2FA authentications. Use ‘hardened’ to allow brute-force hardened password authentication by SPAKE or FAST. Use ‘idp’ to allow External Identity Provider authentications. Use ‘passkey’ to allow passkey-based 2FA authentications. With no indicator specified, all authentication mechanisms are allowed. |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“hostname”) |
--in-hostgroups IN-HOSTGROUPS | Search for hosts with these member of host groups. |
--not-in-hostgroups NOT-IN-HOSTGROUPS | Search for hosts without these member of host groups. |
--in-netgroups IN-NETGROUPS | Search for hosts with these member of netgroups. |
--not-in-netgroups NOT-IN-NETGROUPS | Search for hosts without these member of netgroups. |
--in-roles IN-ROLES | Search for hosts with these member of roles. |
--not-in-roles NOT-IN-ROLES | Search for hosts without these member of roles. |
--in-hbacrules IN-HBACRULES | Search for hosts with these member of HBAC rules. |
--not-in-hbacrules NOT-IN-HBACRULES | Search for hosts without these member of HBAC rules. |
--in-sudorules IN-SUDORULES | Search for hosts with these member of sudo rules. |
--not-in-sudorules NOT-IN-SUDORULES | Search for hosts without these member of sudo rules. |
--enroll-by-users ENROLL-BY-USERS | Search for hosts with these enrolled by users. |
--not-enroll-by-users NOT-ENROLL-BY-USERS | Search for hosts without these enrolled by users. |
--man-by-hosts MAN-BY-HOSTS | Search for hosts with these managed by hosts. |
--not-man-by-hosts NOT-MAN-BY-HOSTS | Search for hosts without these managed by hosts. |
--man-hosts MAN-HOSTS | Search for hosts with these managing hosts. |
--not-man-hosts NOT-MAN-HOSTS | Search for hosts without these managing hosts. |
host-mod
Usage: ipa [global-options] host-mod HOSTNAME [options]
Modify information about a host.
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
Options
| Option | Description |
|---|---|
--desc DESC | A description of this host |
--locality LOCALITY | Host locality (e.g. “Baltimore, MD”) |
--location LOCATION | Host physical location hint (e.g. “Lab 2”) |
--platform PLATFORM | Host hardware platform (e.g. “Lenovo T61”) |
--os OS | Host operating system and version (e.g. “Fedora 9”) |
--password PASSWORD | Password used in bulk enrollment |
--random | Generate a random password to be used in bulk enrollment |
--certificate CERTIFICATE | Base-64 encoded host certificate |
--krbprincipalname KRBPRINCIPALNAME | Principal alias |
--macaddress MACADDRESS | Hardware MAC address(es) on this host |
--sshpubkey SSHPUBKEY | SSH public key |
--class CLASS | Host category (semantics placed on this attribute are for local interpretation) |
--auth-ind AUTH-IND | Defines an allow list for Authentication Indicators. Use ‘otp’ to allow OTP-based 2FA authentications. Use ‘radius’ to allow RADIUS-based 2FA authentications. Use ‘pkinit’ to allow PKINIT-based 2FA authentications. Use ‘hardened’ to allow brute-force hardened password authentication by SPAKE or FAST. Use ‘idp’ to allow External Identity Provider authentications. Use ‘passkey’ to allow passkey-based 2FA authentications. With no indicator specified, all authentication mechanisms are allowed. |
--requires-pre-auth REQUIRES-PRE-AUTH | Pre-authentication is required for the service |
--ok-as-delegate OK-AS-DELEGATE | Client credentials may be delegated to the service |
--ok-to-auth-as-delegate OK-TO-AUTH-AS-DELEGATE | The service is allowed to authenticate on behalf of a client |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--updatedns | Update DNS entries |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
host-remove-cert
Usage: ipa [global-options] host-remove-cert HOSTNAME [options]
Remove certificates from host entry
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--certificate CERTIFICATE | Base-64 encoded host certificate |
host-remove-delegation
Usage:
ipa [global-options] host-remove-delegation HOSTNAME PRINCIPAL [options]
Remove resource delegation from a host
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
PRINCIPAL yes Delegation principal
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
host-remove-managedby
Usage:
ipa [global-options] host-remove-managedby HOSTNAME [options]
Remove hosts that can manage this host.
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--hosts HOSTS | hosts to remove |
host-remove-principal
Usage:
ipa [global-options] host-remove-principal HOSTNAME KRBPRINCIPALNAME [options]
Remove principal alias from a host entry
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
KRBPRINCIPALNAME yes Principal alias
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
host-show
Usage: ipa [global-options] host-show HOSTNAME [options]
Display information about a host.
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--out OUT | file to store certificate in |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |