<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">On 03/17/2015 02:54 PM, Prasun Gera
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAFLz+BmYcHgU9aniUUaytJ+3e61L33Ng_3RwhdVj6vgJd86jLw@mail.gmail.com"
      type="cite">
      <div dir="ltr">Sorry, the message got sent accidentally earlier
        before I could provide all the details. 
        <div><br>
        </div>
        <div>Version: 4.1.0 on RHEL 7.1 x86_64<br>
          <div><br>
          </div>
          <div>
            <div style="font-size:12.8000001907349px">Steps:</div>
            <div style="font-size:12.8000001907349px">1. ipa-server-install</div>
            <div style="font-size:12.8000001907349px">2. service sshd
              restart</div>
            <div style="font-size:12.8000001907349px">3. kinit admin    
                                       <span
                style="font-size:12.8000001907349px"><- This always
                works</span></div>
            <div style="font-size:12.8000001907349px">4. ssh
              admin@localhost             <- This works for the first
              time, fails second time onwards</div>
            <div style="font-size:12.8000001907349px">    ssh
              admin@host_addr from external system      <- This also
              works the first time, fails second time onwards</div>
            <div style="font-size:12.8000001907349px"><br>
            </div>
            <div style="font-size:12.8000001907349px">5.
              ipa-server-install --uninstall</div>
            <div style="font-size:12.8000001907349px">6. go to 1</div>
            <div style="font-size:12.8000001907349px"><br>
            </div>
            <div style="font-size:12.8000001907349px">The log messages
              in /var/log/messages point to <span
                style="font-size:12.8000001907349px">[sssd[krb5_child[21029]]]:
                Decrypt integrity check failed at the point of the
                authentication failure</span></div>
            <div style=""><span style="font-size:12.8000001907349px">sssd's
                log's have a lot of "No matching domain found for user"
                messages.</span></div>
            <div style=""><span style="font-size:12.8000001907349px">/var/log/krb5kdc.log
                has a lot of </span>error decoding FAST: <unknown
              client> for <unknown server>, Decrypt integrity
              check failed while handling ap-request armor</div>
            <div style=""><br>
            </div>
            <div style="">The only ERROR I can see in
              /var/log/ipaserver-uninstall.log is </div>
            <div style="">pkidestroy  : ERROR    .......
              subprocess.CalledProcessError:  Command
              '['/usr/bin/sslget', '-n', 'subsystemCert cert-pki-ca',
              ......returned non-zero exit status 6!<br>
            </div>
            <div style=""><br>
            </div>
            <div style=""><br>
            </div>
            <div style="">It appears that the uninstall process is
              leaving some residual configuration behind which is
              conflicting with the subsequent installation with the same
              domain name</div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    <br>
    SSSD and certificate issues with re-install would be unrelated.<br>
    <br>
    <br>
    Let us start over. Remove IPA, try it several times, it helps
    sometimes as it moves forward and cleans more on each attempt. Make
    sure there are no certs left and certmonger is not tracking
    anything. <br>
    If you still experience issues with SSSD, add debug_level=10 to sssd
    configuration in the domain section, restart sssd and send the
    sanitized logs for the failed attempts.<br>
    <br>
    <br>
    <blockquote
cite="mid:CAFLz+BmYcHgU9aniUUaytJ+3e61L33Ng_3RwhdVj6vgJd86jLw@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div>
            <div style=""><br>
            </div>
            <div style=""><br>
            </div>
            <div style="">Regards,</div>
            <div style="">Prasun</div>
            <div style=""><br>
            </div>
            <div style=""><br>
            </div>
            <div><span style="font-size:12.8000001907349px"><br>
              </span></div>
            <div style="font-size:12.8000001907349px"><br>
            </div>
            <div><br>
            </div>
            <div><br>
            </div>
          </div>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Tue, Mar 17, 2015 at 2:41 PM, Prasun
          Gera <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:prasun.gera@gmail.com" target="_blank">prasun.gera@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">Hello,
              <div>I installed the ipa-server on an RHEL 7.1 system,
                uninstalled it and reinstalled it with the same domain
                name as the first time. This somehow creates problems
                with ssh authentication on the server from external
                systems as well as from the server itself. </div>
              <div><br>
              </div>
              <div>Steps:</div>
              <div>1. ipa-server-install</div>
              <div>2. service sshd restart</div>
              <div>3. kinit admin</div>
              <div>4. ssh admin@localhost</div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
  </body>
</html>