Re: [Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

Wed, 18 Mar 2015 12:19:58 -0700 

On 03/17/2015 02:54 PM, Prasun Gera wrote:
Sorry, the message got sent accidentally earlier before I could provide all the details. 

Version: 4.1.0 on RHEL 7.1 x86_64

Steps:
1. ipa-server-install
2. service sshd restart
3. kinit admin <- This always works

4. ssh admin@localhost             <- This works for the first time, 
fails second time onwards
    ssh admin@host_addr from external system      <- This also works 
the first time, fails second time onwards


5. ipa-server-install --uninstall
6. go to 1


The log messages in /var/log/messages point to 
[sssd[krb5_child[21029]]]: Decrypt integrity check failed at the point 
of the authentication failure

sssd's log's have a lot of "No matching domain found for user" messages.

/var/log/krb5kdc.log has a lot of error decoding FAST: <unknown 
client> for <unknown server>, Decrypt integrity check failed while 
handling ap-request armor


The only ERROR I can see in /var/log/ipaserver-uninstall.log is

pkidestroy  : ERROR    ....... subprocess.CalledProcessError:  Command 
'['/usr/bin/sslget', '-n', 'subsystemCert cert-pki-ca', ......returned 
non-zero exit status 6!




It appears that the uninstall process is leaving some residual 
configuration behind which is conflicting with the subsequent 
installation with the same domain name



SSSD and certificate issues with re-install would be unrelated.



Let us start over. Remove IPA, try it several times, it helps sometimes 
as it moves forward and cleans more on each attempt. Make sure there are 
no certs left and certmonger is not tracking anything.
If you still experience issues with SSSD, add debug_level=10 to sssd 
configuration in the domain section, restart sssd and send the sanitized 
logs for the failed attempts.






Regards,
Prasun








On Tue, Mar 17, 2015 at 2:41 PM, Prasun Gera <prasun.g...@gmail.com 
<mailto:prasun.g...@gmail.com>> wrote:


    Hello,
    I installed the ipa-server on an RHEL 7.1 system, uninstalled it
    and reinstalled it with the same domain name as the first time.
    This somehow creates problems with ssh authentication on the
    server from external systems as well as from the server itself.

    Steps:
    1. ipa-server-install
    2. service sshd restart
    3. kinit admin
    4. ssh admin@localhost







--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





















					Reply via email to