[Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

Prasun Gera prasun.gera at gmail.com
Wed Mar 18 09:05:30 UTC 2015 

I ran some more tests and I've found that it's a general sssd issue which
affects everything handled by sssd (pam, ssh, sudo). I see similar problems
with 'su - username'. I'm guessing that kinit works since it bypasses sssd.
Does anyone have any ideas on debugging this?

On Tue, Mar 17, 2015 at 2:54 PM, Prasun Gera <prasun.gera at gmail.com> wrote:

> Sorry, the message got sent accidentally earlier before I could provide
> all the details.
>
> Version: 4.1.0 on RHEL 7.1 x86_64
>
> Steps:
> 1. ipa-server-install
> 2. service sshd restart
> 3. kinit admin                              <- This always works
> 4. ssh admin at localhost             <- This works for the first time,
> fails second time onwards
>     ssh admin at host_addr from external system      <- This also works the
> first time, fails second time onwards
>
> 5. ipa-server-install --uninstall
> 6. go to 1
>
> The log messages in /var/log/messages point to [sssd[krb5_child[21029]]]:
> Decrypt integrity check failed at the point of the authentication failure
> sssd's log's have a lot of "No matching domain found for user" messages.
> /var/log/krb5kdc.log has a lot of error decoding FAST: <unknown client>
> for <unknown server>, Decrypt integrity check failed while handling
> ap-request armor
>
> The only ERROR I can see in /var/log/ipaserver-uninstall.log is
> pkidestroy  : ERROR    ....... subprocess.CalledProcessError:  Command
> '['/usr/bin/sslget', '-n', 'subsystemCert cert-pki-ca', ......returned
> non-zero exit status 6!
>
>
> It appears that the uninstall process is leaving some residual
> configuration behind which is conflicting with the subsequent installation
> with the same domain name
>
>
> Regards,
> Prasun
>
>
>
>
>
>
>
> On Tue, Mar 17, 2015 at 2:41 PM, Prasun Gera <prasun.gera at gmail.com>
> wrote:
>
>> Hello,
>> I installed the ipa-server on an RHEL 7.1 system, uninstalled it and
>> reinstalled it with the same domain name as the first time. This somehow
>> creates problems with ssh authentication on the server from external
>> systems as well as from the server itself.
>>
>> Steps:
>> 1. ipa-server-install
>> 2. service sshd restart
>> 3. kinit admin
>> 4. ssh admin at localhost
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150318/e03e11d5/attachment.htm>

More information about the Freeipa-users mailing list