On 12/12/2014 01:06 PM, sergey ivanov wrote:
Hi,
I have a few problems with ipa client installations against ipa server.

The history which led to these problems are tho following.

1. I have first installed Freeipa server on Fedora-20, and was testing
and evaluating how it works and what are the features for a while.
2. While I was evaluating, Red Hat published RHEL-7. I tested
ipa-client integration from RHEL-7 destkops to Fedora's FreeIPA
server. It was working fine. Also I noticed that the features I needed
exists in RHEL-7 supported IPA server.
3. Because there was no way to upgrade or migrate data from Fedora's
FreeIPA to RHEL-7 IPA, I made new fresh installation of IPA server on
RHEL-7 and wanted to move clients off Fedora's domain and join new
one, although they had the same domain name for DNS and kerberos.
4. I ran "ipa-client-install --uninstall" on RHEL-7 destkop, and
rebooted it when prompted.
5. I ran "ipa-client-install" to joun new IPA servers, it reported success.

Now I have the following working:
1. I can ssh passwordless and without ssh public keys from hosts which
have good kerberos ticket obtained from RHEL-7 ipa server to this
problematic desktop computer.
2. I can see users there by typing "id <username>".
3. Password sudo authentication against IPA on this computer.

What does not work:
1. local login with IPA credentials: complains about wrong password.
2. SSH from other hosts with password authentication, - the same
"wrong password".

I tried as a temporary workaround and created local user entry in /etc/shadow by
---
getent passwd <username> >> /etc/passwd
pwconv
chpasswd
<username>:<anotherpassword>
^D
---
and was able to login with this password, both local and remotely with
ssh. Interesting, I've verified: IPA password works for sudo but not
for login. But:
1. I was not able to use Gnome desktop environment: all windows were
black rectangles. KDE was working fine.
2. I was not able to point firefox to new IPA server: "Your
certificate contains the same serial number as another certificate
issued by the certificate authority. Please get a new certificate
containing a unique serial number. (Error code:
sec_error_reused_issuer_and_serial)" Where firefox stores these
certificates, and how I can replace the one from Fedora's FreeIPA
server authority by new ones?


Preferences -> Advanced -> Certificates tab -> View Certificates button -> Servers tab

I think if you delete it and then try accessing IPA with the browser again it will do the trick.


As for password authentication I suggest you check your PAM and SSSD configuration.
Add debug_level=10 to pam, nss and domain sections and restart SSSD.
I suspect that something is not right there. May be the --uninstall actually did not clean everything.

In general it seems like SSSD/PAM is somehow misconfigured.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to