Steven Whately wrote:
On Fedora 12, I un-installed 1.2 and then installed 1.9.
My clients could not log in. The server was logging the following message:
sssd_be: GSSAPI Error: The referenced context has expired (Unknown error)
Hmm, is the time on the client close to the time on the IPA server?
(within 5 min)
Not being able to resolve the message I ran:
With this second command I got:
Joining realm failed: Host is already joined.
Then I noticed that files like nsswitch.conf had not been updated.
So I ran:
ipa host-del ClientHostname
Yeah, the second time the installation was aborted, hence no
nsswitch.conf updating. I guess we could make that clearer.
The reason for this is because a lot is stored on the server when you
join a client. Re-enrollment requires a new keytab to be generated and
new server certificate issued. Currently the uninstaller doesn't remove
the host (we'd have to require admin privs to run the uninstaller which
seemed a bit draconian).
Thankfully this time nsswitch.conf got updated and I now have a working
It would be nice if ipa-client-install still updated the client files
even if the client had been previously added.
Well, in the sssd case you'd probably still be left in a bogus state. If
using nss_ldap then we might be able to do this but the client machine
would be in an iffy state which would likely cause problems later on
(like sshd not working).
I very happy that I can now see what's going on with this important
I did not want to miss out on what the freeipa team was working on.
Thanks for looking at it. I'm totally open to suggestions if there is a
more graceful way to handle client enrollment/unenrollment/re-enrollment.
Freeipa-users mailing list