[Freeipa-users] re-enrolling clients with --force-join getting /var/lib/sss/pubconf/known_hosts conflicts
Rob Crittenden
rcritten at redhat.com
Thu Nov 5 21:25:33 UTC 2015
Brian J. Murrell wrote:
> On Wed, 2015-11-04 at 15:37 -0500, Brian J. Murrell wrote:
>> I am trying to re-enroll clients after re-installing their O/S (EL6)
>> using:
>>
>> # ipa-client-install --force-join ...
>>
>> Per http://www.freeipa.org/page/V3/Forced_client_re-enrollment but I
>> am
>> finding that after doing that for a given host, trying to ssh to it
>> from another enrolled IPA client I am getting:
>>
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>> Someone could be eavesdropping on you right now (man-in-the-middle
>> attack)!
>> It is also possible that a host key has just been changed.
>> The fingerprint for the RSA key sent by the remote host is
>> 15:db:4d:e2:8b:c2:b8:3d:da:93:90:06:f2:f1:d6:21.
>> Please contact your system administrator.
>> Add correct host key in /dev/null to get rid of this message.
>> Offending DSA key in /var/lib/sss/pubconf/known_hosts:4
>> Keyboard-interactive authentication is disabled to avoid man-in-the
>> -middle attacks.
>> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
>
> So the problem here was not really anything to do with the above but
> rather that ipa-client-install is flaky and can fail when running it a
> few seconds later it succeeds. Since I am provisioning multiple
> systems at a time in a script, it was not clearly obvious to me that it
> was failing.
What is "flaky" about it?
> And so when ipa-client-install flakes out, of course what is left is
> the previous instance of the node in FreeIPA complete with the previous
> instance's SSH keys.
Without any details it's hard to say what is going on. Having a
side-by-side of an unsuccessful install log and a successful install log
a few seconds later would be very helpful.
rob
More information about the Freeipa-users
mailing list