On Wed, Jun 03, 2015 at 09:34:28AM +0200, Martin Kosek wrote:
> On 06/02/2015 06:15 PM, Christopher Lamb wrote:
> > Hi
> > Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the cause
> > of this problem. Let's call them HOST09 and HOST10
> > Both are mimimum installs of EL7.1, with NTPD installed and configured.
> > HOST09 had ipa-client 4.1 installed via yum, and was configured to use our
> > new FreeIPA 4.1 server, right from the start. --> My FreeIPA user
> > authenticates successfully against this machine.
> > HOST10 had ipa-client 4.1 installed as a dependency of one of our standard
> > config packages, and was first set to use our old FreeIPA 3.3.3 server. -->
> > My FreeIPA user authenticates successfully. against this machine.
> > I then de-registered HOST10 from the FreeIPA 3.1 server, and registered
> > against the new FreeIPA 4.1 server --> My FreeIPA users does NOT
> > authenticate successfully.
> > This replicates well the behaviour I saw with my production servers, namely
> > a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new 4.1
> > FreeIPA server authenticate properly.
> > b) EL 7.1 hosts with ipa-client 4.1 first registered against the old 3.3.3
> > FreeIPA server, then reregistered with the new 4.1 FreeIPA server do NOT
> > authenticate properly
> > Chris
> This is really strange. What I do not fully understand is what is the
> "registration against a FreeIPA server". What server you install IPA client
> should matter if the deployment is set up properly. The host enrollment entry
> should simply replicate to whole infrastructure. The only thing that will
> probably differ is sssd.conf and krb5.conf as they will have different primary
> server set up, based on what your DNS setup is.
> It rather seems that the "reregistration" is what causes the issue. It looks
> like something cleanup problem during the process. I will let Jakub to help
> here, I would suggest including the SSSD logs from the failed login, it may
In another thread (not sure if public or not, there was many emails from
Christoper recently), we advised to clean the cache after
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project