[Freeipa-users] Alpha 2 Bugs or Misconfigurations?

[Rob Crittenden]

Steven Whately wrote:
> On Fedora 12, I un-installed 1.2 and then installed 1.9.
> 
> My clients could not log in. The server was logging the following message:
> sssd_be: GSSAPI Error: The referenced context has expired (Unknown error)

Hmm, is the time on the client close to the time on the IPA server? 
(within 5 min)

> Not being able to resolve the message I ran:
> ipa-client-install --uninstall
> ipa-client-install --no-sssd
> 
> With this second command I got:
> Joining realm failed: Host is already joined.
> Then I noticed that files like nsswitch.conf had not been updated.
> 
> So I ran:
> ipa host-del ClientHostname
> ipa-client-install --no-sssd

Yeah, the second time the installation was aborted, hence no 
nsswitch.conf updating. I guess we could make that clearer.

The reason for this is because a lot is stored on the server when you 
join a client. Re-enrollment requires a new keytab to be generated and 
new server certificate issued. Currently the uninstaller doesn't remove 
the host (we'd have to require admin privs to run the uninstaller which 
seemed a bit draconian).

> Thankfully this time nsswitch.conf got updated and I now have a working 
> system.
> It would be nice if ipa-client-install still updated the client files 
> even if the client had been previously added.

Well, in the sssd case you'd probably still be left in a bogus state. If 
using nss_ldap then we might be able to do this but the client machine 
would be in an iffy state which would likely cause problems later on 
(like sshd not working).

> I very happy that I can now see what's going on with this important 
> product.
> I did not want to miss out on what the freeipa team was working on.
> 
> Regards
> Steve

Thanks for looking at it. I'm totally open to suggestions if there is a 
more graceful way to handle client enrollment/unenrollment/re-enrollment.

cheers

rob