Steven Whately wrote:
On Fedora 12, I un-installed 1.2 and then installed 1.9.

My clients could not log in. The server was logging the following message:
sssd_be: GSSAPI Error: The referenced context has expired (Unknown error)

Hmm, is the time on the client close to the time on the IPA server? (within 5 min)

Not being able to resolve the message I ran:
ipa-client-install --uninstall
ipa-client-install --no-sssd

With this second command I got:
Joining realm failed: Host is already joined.
Then I noticed that files like nsswitch.conf had not been updated.

So I ran:
ipa host-del ClientHostname
ipa-client-install --no-sssd

Yeah, the second time the installation was aborted, hence no nsswitch.conf updating. I guess we could make that clearer.

The reason for this is because a lot is stored on the server when you join a client. Re-enrollment requires a new keytab to be generated and new server certificate issued. Currently the uninstaller doesn't remove the host (we'd have to require admin privs to run the uninstaller which seemed a bit draconian).

Thankfully this time nsswitch.conf got updated and I now have a working system. It would be nice if ipa-client-install still updated the client files even if the client had been previously added.

Well, in the sssd case you'd probably still be left in a bogus state. If using nss_ldap then we might be able to do this but the client machine would be in an iffy state which would likely cause problems later on (like sshd not working).

I very happy that I can now see what's going on with this important product.
I did not want to miss out on what the freeipa team was working on.


Thanks for looking at it. I'm totally open to suggestions if there is a more graceful way to handle client enrollment/unenrollment/re-enrollment.



Freeipa-users mailing list

Reply via email to