On 03/17/2015 02:54 PM, Prasun Gera wrote:
Sorry, the message got sent accidentally earlier before I could provide all the details.

Version: 4.1.0 on RHEL 7.1 x86_64

1. ipa-server-install
2. service sshd restart
3. kinit admin <- This always works
4. ssh admin@localhost <- This works for the first time, fails second time onwards ssh admin@host_addr from external system <- This also works the first time, fails second time onwards

5. ipa-server-install --uninstall
6. go to 1

The log messages in /var/log/messages point to [sssd[krb5_child[21029]]]: Decrypt integrity check failed at the point of the authentication failure
sssd's log's have a lot of "No matching domain found for user" messages.
/var/log/krb5kdc.log has a lot of error decoding FAST: <unknown client> for <unknown server>, Decrypt integrity check failed while handling ap-request armor

The only ERROR I can see in /var/log/ipaserver-uninstall.log is
pkidestroy : ERROR ....... subprocess.CalledProcessError: Command '['/usr/bin/sslget', '-n', 'subsystemCert cert-pki-ca', ......returned non-zero exit status 6!

It appears that the uninstall process is leaving some residual configuration behind which is conflicting with the subsequent installation with the same domain name

SSSD and certificate issues with re-install would be unrelated.

Let us start over. Remove IPA, try it several times, it helps sometimes as it moves forward and cleans more on each attempt. Make sure there are no certs left and certmonger is not tracking anything. If you still experience issues with SSSD, add debug_level=10 to sssd configuration in the domain section, restart sssd and send the sanitized logs for the failed attempts.


On Tue, Mar 17, 2015 at 2:41 PM, Prasun Gera <prasun.g...@gmail.com <mailto:prasun.g...@gmail.com>> wrote:

    I installed the ipa-server on an RHEL 7.1 system, uninstalled it
    and reinstalled it with the same domain name as the first time.
    This somehow creates problems with ssh authentication on the
    server from external systems as well as from the server itself.

    1. ipa-server-install
    2. service sshd restart
    3. kinit admin
    4. ssh admin@localhost

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to