[Freeipa-users] Some problems with uninstalling and reinstalling of ipa-client.

Fri Dec 12 18:29:55 UTC 2014

On 12/12/2014 01:06 PM, sergey ivanov wrote:
> Hi,
> I have a few problems with ipa client installations against ipa server.
>
> The history which led to these problems are tho following.
>
> 1. I have first installed Freeipa server on Fedora-20, and was testing
> and evaluating how it works and what are the features for a while.
> 2. While I was evaluating, Red Hat published RHEL-7. I tested
> ipa-client integration from RHEL-7 destkops to Fedora's FreeIPA
> server. It was working fine. Also I noticed that the features I needed
> exists in RHEL-7 supported IPA server.
> 3. Because there was no way to upgrade or migrate data from Fedora's
> FreeIPA to RHEL-7 IPA, I made new fresh installation of IPA server on
> RHEL-7 and wanted to move clients off Fedora's domain and join new
> one, although they had the same domain name for DNS and kerberos.
> 4. I ran "ipa-client-install --uninstall" on RHEL-7 destkop, and
> rebooted it when prompted.
> 5. I ran "ipa-client-install" to joun new IPA servers, it reported success.
>
> Now I have the following working:
> 1. I can ssh passwordless and without ssh public keys from hosts which
> have good kerberos ticket obtained from RHEL-7 ipa server to this
> problematic desktop computer.
> 2. I can see users there by typing "id <username>".
> 3. Password sudo authentication against IPA on this computer.
>
> What does not work:
> 1. local login with IPA credentials: complains about wrong password.
> 2. SSH from other hosts with password authentication, - the same
> "wrong password".
>
> I tried as a temporary workaround and created local user entry in /etc/shadow by
> ---
> getent passwd <username> >> /etc/passwd
> pwconv
> chpasswd
> <username>:<anotherpassword>
> ^D
> ---
> and was able to login with this password, both local and remotely with
> ssh. Interesting, I've verified: IPA password works for sudo but not
> for login. But:
> 1. I was not able to use Gnome desktop environment: all windows were
> black rectangles. KDE was working fine.
> 2. I was not able to point firefox to new IPA server: "Your
> certificate contains the same serial number as another certificate
> issued by the certificate authority. Please get a new certificate
> containing a unique serial number. (Error code:
> sec_error_reused_issuer_and_serial)" Where firefox stores these
> certificates, and how I can replace the one from Fedora's FreeIPA
> server authority by new ones?
>
>
Preferences -> Advanced -> Certificates tab -> View Certificates button 
-> Servers tab

I think if you delete it and then try accessing IPA with the browser 
again it will do the trick.

As for password authentication I suggest you check your PAM and SSSD 
configuration.
Add debug_level=10 to pam, nss and domain sections and restart SSSD.
I suspect that something is not right there. May be the --uninstall 
actually did not clean everything.

In general it seems like SSSD/PAM is somehow misconfigured.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.