[Freeipa-users] Some problems with uninstalling and reinstalling of ipa-client.

sergey ivanov sergey57 at gmail.com
Fri Dec 12 18:06:31 UTC 2014 

Hi,
I have a few problems with ipa client installations against ipa server.

The history which led to these problems are tho following.

1. I have first installed Freeipa server on Fedora-20, and was testing
and evaluating how it works and what are the features for a while.
2. While I was evaluating, Red Hat published RHEL-7. I tested
ipa-client integration from RHEL-7 destkops to Fedora's FreeIPA
server. It was working fine. Also I noticed that the features I needed
exists in RHEL-7 supported IPA server.
3. Because there was no way to upgrade or migrate data from Fedora's
FreeIPA to RHEL-7 IPA, I made new fresh installation of IPA server on
RHEL-7 and wanted to move clients off Fedora's domain and join new
one, although they had the same domain name for DNS and kerberos.
4. I ran "ipa-client-install --uninstall" on RHEL-7 destkop, and
rebooted it when prompted.
5. I ran "ipa-client-install" to joun new IPA servers, it reported success.

Now I have the following working:
1. I can ssh passwordless and without ssh public keys from hosts which
have good kerberos ticket obtained from RHEL-7 ipa server to this
problematic desktop computer.
2. I can see users there by typing "id <username>".
3. Password sudo authentication against IPA on this computer.

What does not work:
1. local login with IPA credentials: complains about wrong password.
2. SSH from other hosts with password authentication, - the same
"wrong password".

I tried as a temporary workaround and created local user entry in /etc/shadow by
---
getent passwd <username> >> /etc/passwd
pwconv
chpasswd
<username>:<anotherpassword>
^D
---
and was able to login with this password, both local and remotely with
ssh. Interesting, I've verified: IPA password works for sudo but not
for login. But:
1. I was not able to use Gnome desktop environment: all windows were
black rectangles. KDE was working fine.
2. I was not able to point firefox to new IPA server: "Your
certificate contains the same serial number as another certificate
issued by the certificate authority. Please get a new certificate
containing a unique serial number. (Error code:
sec_error_reused_issuer_and_serial)" Where firefox stores these
certificates, and how I can replace the one from Fedora's FreeIPA
server authority by new ones?


-- 
Regards,
Sergey Ivanov | sergey57 at gmail.com
http://www.linkedin.com/pub/sergey-ivanov/8/270/a09

More information about the Freeipa-users mailing list