On Wed, Jun 03, 2015 at 09:34:28AM +0200, Martin Kosek wrote: > On 06/02/2015 06:15 PM, Christopher Lamb wrote: > > > > Hi > > > > Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the cause > > of this problem. Let's call them HOST09 and HOST10 > > > > Both are mimimum installs of EL7.1, with NTPD installed and configured. > > > > HOST09 had ipa-client 4.1 installed via yum, and was configured to use our > > new FreeIPA 4.1 server, right from the start. --> My FreeIPA user > > authenticates successfully against this machine. > > > > HOST10 had ipa-client 4.1 installed as a dependency of one of our standard > > config packages, and was first set to use our old FreeIPA 3.3.3 server. --> > > My FreeIPA user authenticates successfully. against this machine. > > > > I then de-registered HOST10 from the FreeIPA 3.1 server, and registered > > against the new FreeIPA 4.1 server --> My FreeIPA users does NOT > > authenticate successfully. > > > > This replicates well the behaviour I saw with my production servers, namely > > a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new 4.1 > > FreeIPA server authenticate properly. > > > > b) EL 7.1 hosts with ipa-client 4.1 first registered against the old 3.3.3 > > FreeIPA server, then reregistered with the new 4.1 FreeIPA server do NOT > > authenticate properly > > > > Chris > > Hello, > > This is really strange. What I do not fully understand is what is the > "registration against a FreeIPA server". What server you install IPA client > should matter if the deployment is set up properly. The host enrollment entry > should simply replicate to whole infrastructure. The only thing that will > probably differ is sssd.conf and krb5.conf as they will have different primary > server set up, based on what your DNS setup is. > > It rather seems that the "reregistration" is what causes the issue. It looks > like something cleanup problem during the process. I will let Jakub to help > here, I would suggest including the SSSD logs from the failed login, it may > help.
In another thread (not sure if public or not, there was many emails from Christoper recently), we advised to clean the cache after reinstall/register. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project