[Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

Dmitri Pal dpal at redhat.com
Wed Mar 18 19:12:45 UTC 2015 

On 03/17/2015 02:54 PM, Prasun Gera wrote:
> Sorry, the message got sent accidentally earlier before I could 
> provide all the details.
>
> Version: 4.1.0 on RHEL 7.1 x86_64
>
> Steps:
> 1. ipa-server-install
> 2. service sshd restart
> 3. kinit admin <- This always works
> 4. ssh admin at localhost             <- This works for the first time, 
> fails second time onwards
>     ssh admin at host_addr from external system      <- This also works 
> the first time, fails second time onwards
>
> 5. ipa-server-install --uninstall
> 6. go to 1
>
> The log messages in /var/log/messages point to 
> [sssd[krb5_child[21029]]]: Decrypt integrity check failed at the point 
> of the authentication failure
> sssd's log's have a lot of "No matching domain found for user" messages.
> /var/log/krb5kdc.log has a lot of error decoding FAST: <unknown 
> client> for <unknown server>, Decrypt integrity check failed while 
> handling ap-request armor
>
> The only ERROR I can see in /var/log/ipaserver-uninstall.log is
> pkidestroy  : ERROR    ....... subprocess.CalledProcessError:  Command 
> '['/usr/bin/sslget', '-n', 'subsystemCert cert-pki-ca', ......returned 
> non-zero exit status 6!
>
>
> It appears that the uninstall process is leaving some residual 
> configuration behind which is conflicting with the subsequent 
> installation with the same domain name


SSSD and certificate issues with re-install would be unrelated.


Let us start over. Remove IPA, try it several times, it helps sometimes 
as it moves forward and cleans more on each attempt. Make sure there are 
no certs left and certmonger is not tracking anything.
If you still experience issues with SSSD, add debug_level=10 to sssd 
configuration in the domain section, restart sssd and send the sanitized 
logs for the failed attempts.


>
>
> Regards,
> Prasun
>
>
>
>
>
>
>
> On Tue, Mar 17, 2015 at 2:41 PM, Prasun Gera <prasun.gera at gmail.com 
> <mailto:prasun.gera at gmail.com>> wrote:
>
>     Hello,
>     I installed the ipa-server on an RHEL 7.1 system, uninstalled it
>     and reinstalled it with the same domain name as the first time.
>     This somehow creates problems with ssh authentication on the
>     server from external systems as well as from the server itself.
>
>     Steps:
>     1. ipa-server-install
>     2. service sshd restart
>     3. kinit admin
>     4. ssh admin at localhost
>
>
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150318/54431048/attachment.htm>

More information about the Freeipa-users mailing list