[Freeipa-users] Alpha 2 Bugs or Misconfigurations?
Rob Crittenden
rcritten at redhat.com
Mon Feb 22 15:43:12 UTC 2010
Steven Whately wrote:
> On Fedora 12, I un-installed 1.2 and then installed 1.9.
>
> My clients could not log in. The server was logging the following message:
> sssd_be: GSSAPI Error: The referenced context has expired (Unknown error)
Hmm, is the time on the client close to the time on the IPA server?
(within 5 min)
> Not being able to resolve the message I ran:
> ipa-client-install --uninstall
> ipa-client-install --no-sssd
>
> With this second command I got:
> Joining realm failed: Host is already joined.
> Then I noticed that files like nsswitch.conf had not been updated.
>
> So I ran:
> ipa host-del ClientHostname
> ipa-client-install --no-sssd
Yeah, the second time the installation was aborted, hence no
nsswitch.conf updating. I guess we could make that clearer.
The reason for this is because a lot is stored on the server when you
join a client. Re-enrollment requires a new keytab to be generated and
new server certificate issued. Currently the uninstaller doesn't remove
the host (we'd have to require admin privs to run the uninstaller which
seemed a bit draconian).
> Thankfully this time nsswitch.conf got updated and I now have a working
> system.
> It would be nice if ipa-client-install still updated the client files
> even if the client had been previously added.
Well, in the sssd case you'd probably still be left in a bogus state. If
using nss_ldap then we might be able to do this but the client machine
would be in an iffy state which would likely cause problems later on
(like sshd not working).
> I very happy that I can now see what's going on with this important
> product.
> I did not want to miss out on what the freeipa team was working on.
>
> Regards
> Steve
Thanks for looking at it. I'm totally open to suggestions if there is a
more graceful way to handle client enrollment/unenrollment/re-enrollment.
cheers
rob
More information about the Freeipa-users
mailing list