On Wed, Jun 03, 2015 at 09:34:28AM +0200, Martin Kosek wrote:
> On 06/02/2015 06:15 PM, Christopher Lamb wrote:
> > 
> > Hi
> > 
> > Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the cause
> > of this problem. Let's call them HOST09 and HOST10
> > 
> > Both are mimimum installs of EL7.1, with NTPD installed and configured.
> > 
> > HOST09  had ipa-client 4.1 installed via yum, and was configured to use our
> > new FreeIPA 4.1 server, right from the start. --> My FreeIPA user
> > authenticates successfully against this machine.
> > 
> > HOST10 had ipa-client 4.1 installed as a dependency of one of our standard
> > config packages, and was first set to use our old FreeIPA 3.3.3 server. -->
> > My FreeIPA user authenticates successfully. against this machine.
> > 
> > I then de-registered HOST10 from the FreeIPA 3.1 server, and registered
> > against the new FreeIPA 4.1 server --> My FreeIPA users does NOT
> > authenticate successfully.
> > 
> > This replicates well the behaviour I saw with my production servers, namely
> > a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new 4.1
> > FreeIPA server authenticate properly.
> > 
> > b) EL 7.1 hosts with ipa-client 4.1 first registered against the old 3.3.3
> > FreeIPA server, then reregistered with the new 4.1 FreeIPA server do NOT
> > authenticate properly
> > 
> > Chris
> 
> Hello,
> 
> This is really strange. What I do not fully understand is what is the
> "registration against a FreeIPA server". What server you install IPA client
> should matter if the deployment is set up properly. The host enrollment entry
> should simply replicate to whole infrastructure. The only thing that will
> probably differ is sssd.conf and krb5.conf as they will have different primary
> server set up, based on what your DNS setup is.
> 
> It rather seems that the "reregistration" is what causes the issue. It looks
> like something cleanup problem during the process. I will let Jakub to help
> here, I would suggest including the SSSD logs from the failed login, it may 
> help.

In another thread (not sure if public or not, there was many emails from
Christoper recently), we advised to clean the cache after
reinstall/register.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to