On 03/17/2015 02:54 PM, Prasun Gera wrote:
Sorry, the message got sent accidentally earlier before I could
provide all the details.
Version: 4.1.0 on RHEL 7.1 x86_64
Steps:
1. ipa-server-install
2. service sshd restart
3. kinit admin <- This always works
4. ssh admin@localhost <- This works for the first time,
fails second time onwards
ssh admin@host_addr from external system <- This also works
the first time, fails second time onwards
5. ipa-server-install --uninstall
6. go to 1
The log messages in /var/log/messages point to
[sssd[krb5_child[21029]]]: Decrypt integrity check failed at the point
of the authentication failure
sssd's log's have a lot of "No matching domain found for user" messages.
/var/log/krb5kdc.log has a lot of error decoding FAST: <unknown
client> for <unknown server>, Decrypt integrity check failed while
handling ap-request armor
The only ERROR I can see in /var/log/ipaserver-uninstall.log is
pkidestroy : ERROR ....... subprocess.CalledProcessError: Command
'['/usr/bin/sslget', '-n', 'subsystemCert cert-pki-ca', ......returned
non-zero exit status 6!
It appears that the uninstall process is leaving some residual
configuration behind which is conflicting with the subsequent
installation with the same domain name
SSSD and certificate issues with re-install would be unrelated.
Let us start over. Remove IPA, try it several times, it helps sometimes
as it moves forward and cleans more on each attempt. Make sure there are
no certs left and certmonger is not tracking anything.
If you still experience issues with SSSD, add debug_level=10 to sssd
configuration in the domain section, restart sssd and send the sanitized
logs for the failed attempts.
Regards,
Prasun
On Tue, Mar 17, 2015 at 2:41 PM, Prasun Gera <prasun.g...@gmail.com
<mailto:prasun.g...@gmail.com>> wrote:
Hello,
I installed the ipa-server on an RHEL 7.1 system, uninstalled it
and reinstalled it with the same domain name as the first time.
This somehow creates problems with ssh authentication on the
server from external systems as well as from the server itself.
Steps:
1. ipa-server-install
2. service sshd restart
3. kinit admin
4. ssh admin@localhost
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project