[Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

[Prasun Gera]

Sorry, the message got sent accidentally earlier before I could provide all
the details.

Version: 4.1.0 on RHEL 7.1 x86_64

Steps:
1. ipa-server-install
2. service sshd restart
3. kinit admin                              <- This always works
4. ssh admin at localhost             <- This works for the first time, fails
second time onwards
    ssh admin at host_addr from external system      <- This also works the
first time, fails second time onwards

5. ipa-server-install --uninstall
6. go to 1

The log messages in /var/log/messages point to [sssd[krb5_child[21029]]]:
Decrypt integrity check failed at the point of the authentication failure
sssd's log's have a lot of "No matching domain found for user" messages.
/var/log/krb5kdc.log has a lot of error decoding FAST: <unknown client> for
<unknown server>, Decrypt integrity check failed while handling ap-request
armor

The only ERROR I can see in /var/log/ipaserver-uninstall.log is
pkidestroy  : ERROR    ....... subprocess.CalledProcessError:  Command
'['/usr/bin/sslget', '-n', 'subsystemCert cert-pki-ca', ......returned
non-zero exit status 6!


It appears that the uninstall process is leaving some residual
configuration behind which is conflicting with the subsequent installation
with the same domain name


Regards,
Prasun







On Tue, Mar 17, 2015 at 2:41 PM, Prasun Gera <prasun.gera at gmail.com> wrote:

> Hello,
> I installed the ipa-server on an RHEL 7.1 system, uninstalled it and
> reinstalled it with the same domain name as the first time. This somehow
> creates problems with ssh authentication on the server from external
> systems as well as from the server itself.
>
> Steps:
> 1. ipa-server-install
> 2. service sshd restart
> 3. kinit admin
> 4. ssh admin at localhost
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150317/f2be66b1/attachment.htm>