On 12/12/2014 01:06 PM, sergey ivanov wrote:
Preferences -> Advanced -> Certificates tab -> View Certificates button
-> Servers tab
I have a few problems with ipa client installations against ipa server.
The history which led to these problems are tho following.
1. I have first installed Freeipa server on Fedora-20, and was testing
and evaluating how it works and what are the features for a while.
2. While I was evaluating, Red Hat published RHEL-7. I tested
ipa-client integration from RHEL-7 destkops to Fedora's FreeIPA
server. It was working fine. Also I noticed that the features I needed
exists in RHEL-7 supported IPA server.
3. Because there was no way to upgrade or migrate data from Fedora's
FreeIPA to RHEL-7 IPA, I made new fresh installation of IPA server on
RHEL-7 and wanted to move clients off Fedora's domain and join new
one, although they had the same domain name for DNS and kerberos.
4. I ran "ipa-client-install --uninstall" on RHEL-7 destkop, and
rebooted it when prompted.
5. I ran "ipa-client-install" to joun new IPA servers, it reported success.
Now I have the following working:
1. I can ssh passwordless and without ssh public keys from hosts which
have good kerberos ticket obtained from RHEL-7 ipa server to this
problematic desktop computer.
2. I can see users there by typing "id <username>".
3. Password sudo authentication against IPA on this computer.
What does not work:
1. local login with IPA credentials: complains about wrong password.
2. SSH from other hosts with password authentication, - the same
I tried as a temporary workaround and created local user entry in /etc/shadow by
getent passwd <username> >> /etc/passwd
and was able to login with this password, both local and remotely with
ssh. Interesting, I've verified: IPA password works for sudo but not
for login. But:
1. I was not able to use Gnome desktop environment: all windows were
black rectangles. KDE was working fine.
2. I was not able to point firefox to new IPA server: "Your
certificate contains the same serial number as another certificate
issued by the certificate authority. Please get a new certificate
containing a unique serial number. (Error code:
sec_error_reused_issuer_and_serial)" Where firefox stores these
certificates, and how I can replace the one from Fedora's FreeIPA
server authority by new ones?
I think if you delete it and then try accessing IPA with the browser
again it will do the trick.
As for password authentication I suggest you check your PAM and SSSD
Add debug_level=10 to pam, nss and domain sections and restart SSSD.
I suspect that something is not right there. May be the --uninstall
actually did not clean everything.
In general it seems like SSSD/PAM is somehow misconfigured.
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project