<div dir="ltr"><div>How do I confirm that there are no certs left behind and that cert-monger isn't tracking them? I'm a bit new to all the components used by IPA. I do see that the /root/cacert.p12 file is never deleted. </div><div><br></div><div>After an uninstall, I see this:</div><div><div>getcert list</div><div>Number of certificates and requests being tracked: 0.</div></div><div><br></div><div><div>getcert status</div><div>process 31282: arguments to dbus_message_new_method_call() were incorrect, assertion "path != NULL" failed in file dbus-message.c line 1262.</div><div>This is normally a bug in some application using the D-Bus library.</div><div> D-Bus not built with -rdynamic so unable to print a backtrace</div><div>Aborted (core dumped)</div></div><div><br></div><div><br></div>I ran a few more tests, and I have had partial success with some configurations. Here's what I found:<div><br></div><div>1) The install-uninstall-install sequence definitely seems to be broken (at least for my configuration), and should be reproducible fairly easily. I would like to reproduce this consistently in a docker image/vm, but docker is apparently not supported on satellite subscribed RHEL systems. The only variable in the system is dns(external) and the choice of ipa domain name. The ipa server setup was pretty stock with no integrated dns. I don't know if some ipa domain names are preferred over others, but I feel that it shouldn't affect the client on the server at least. </div><div>2) I had some success with reboots. i.e. After the last install, rebooting the computer solves the problem for some cases at least. I am not sure if it is a general solution. I think it's also related to the choice of the domain name. The reboot trick doesn't help if the ipa domain name is the one derived from hostname. It did work for a random domain name though.</div><div>3) I need to understand how important the IPA domain name is. Should the ipa domain name be related to the hostname of the server (as suggested by the script)? What happens if someone else has another ipa server with the same domain name on the network? Also, what happens if there is another NIS server with the same domain name on the network? And lastly, what if the ipa server is setup on an existing NIS server or an NIS client ? I have tried a lot of permutations, and I have a feeling that this problem is somehow tied to the name resolution, and domain names, with external dns servers possibly playing a part. </div><div><br></div><div>I'll post the logs if I can't make progress. </div><div><br></div><div>Regards,</div><div>Prasun</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 18, 2015 at 3:12 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div text="#000000" bgcolor="#FFFFFF"><span class=""> <div>On 03/17/2015 02:54 PM, Prasun Gera wrote:<br> </div> <blockquote type="cite"> <div dir="ltr">Sorry, the message got sent accidentally earlier before I could provide all the details. <div><br> </div> <div>Version: 4.1.0 on RHEL 7.1 x86_64<br> <div><br> </div> <div> <div style="font-size:12.8000001907349px">Steps:</div> <div style="font-size:12.8000001907349px">1. ipa-server-install</div> <div style="font-size:12.8000001907349px">2. service sshd restart</div> <div style="font-size:12.8000001907349px">3. kinit admin <span style="font-size:12.8000001907349px"><- This always works</span></div> <div style="font-size:12.8000001907349px">4. ssh admin@localhost <- This works for the first time, fails second time onwards</div> <div style="font-size:12.8000001907349px"> ssh admin@host_addr from external system <- This also works the first time, fails second time onwards</div> <div style="font-size:12.8000001907349px"><br> </div> <div style="font-size:12.8000001907349px">5. ipa-server-install --uninstall</div> <div style="font-size:12.8000001907349px">6. go to 1</div> <div style="font-size:12.8000001907349px"><br> </div> <div style="font-size:12.8000001907349px">The log messages in /var/log/messages point to <span style="font-size:12.8000001907349px">[sssd[krb5_child[21029]]]: Decrypt integrity check failed at the point of the authentication failure</span></div> <div><span style="font-size:12.8000001907349px">sssd's log's have a lot of "No matching domain found for user" messages.</span></div> <div><span style="font-size:12.8000001907349px">/var/log/krb5kdc.log has a lot of </span>error decoding FAST: <unknown client> for <unknown server>, Decrypt integrity check failed while handling ap-request armor</div> <div><br> </div> <div>The only ERROR I can see in /var/log/ipaserver-uninstall.log is </div> <div>pkidestroy : ERROR ....... subprocess.CalledProcessError: Command '['/usr/bin/sslget', '-n', 'subsystemCert cert-pki-ca', ......returned non-zero exit status 6!<br> </div> <div><br> </div> <div><br> </div> <div>It appears that the uninstall process is leaving some residual configuration behind which is conflicting with the subsequent installation with the same domain name</div> </div> </div> </div> </blockquote> <br> <br></span> SSSD and certificate issues with re-install would be unrelated.<br> <br> <br> Let us start over. Remove IPA, try it several times, it helps sometimes as it moves forward and cleans more on each attempt. Make sure there are no certs left and certmonger is not tracking anything. <br> If you still experience issues with SSSD, add debug_level=10 to sssd configuration in the domain section, restart sssd and send the sanitized logs for the failed attempts.<span class=""><br> <br> <br> <blockquote type="cite"> <div dir="ltr"> <div> <div> <div><br> </div> <div><br> </div> <div>Regards,</div> <div>Prasun</div> <div><br> </div> <div><br> </div> <div><span style="font-size:12.8000001907349px"><br> </span></div> <div style="font-size:12.8000001907349px"><br> </div> <div><br> </div> <div><br> </div> </div> </div> </div> <div class="gmail_extra"><br> <div class="gmail_quote">On Tue, Mar 17, 2015 at 2:41 PM, Prasun Gera <span dir="ltr"><<a href="mailto:prasun.gera@gmail.com" target="_blank">prasun.gera@gmail.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div dir="ltr">Hello, <div>I installed the ipa-server on an RHEL 7.1 system, uninstalled it and reinstalled it with the same domain name as the first time. This somehow creates problems with ssh authentication on the server from external systems as well as from the server itself. </div> <div><br> </div> <div>Steps:</div> <div>1. ipa-server-install</div> <div>2. service sshd restart</div> <div>3. kinit admin</div> <div>4. ssh admin@localhost</div> </div> </blockquote> </div> <br> </div> <br> <fieldset></fieldset> <br> </blockquote> <br> <br> </span><span class="HOEnZb"><font color="#888888"><pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </font></span></div> <br>--<br> Manage your subscription for the Freeipa-users mailing list:<br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div>