On Wed, 2015-11-04 at 15:37 -0500, Brian J. Murrell wrote:
> I am trying to re-enroll clients after re-installing their O/S (EL6)
> using:
> 
> # ipa-client-install --force-join ...
> 
> Per http://www.freeipa.org/page/V3/Forced_client_re-enrollment but I
> am
> finding that after doing that for a given host, trying to ssh to it
> from another enrolled IPA client I am getting:
> 
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle
> attack)!
> It is also possible that a host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> 15:db:4d:e2:8b:c2:b8:3d:da:93:90:06:f2:f1:d6:21.
> Please contact your system administrator.
> Add correct host key in /dev/null to get rid of this message.
> Offending DSA key in /var/lib/sss/pubconf/known_hosts:4
> Keyboard-interactive authentication is disabled to avoid man-in-the
> -middle attacks.
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

So the problem here was not really anything to do with the above but
rather that ipa-client-install is flaky and can fail when running it a
few seconds later it succeeds.  Since I am provisioning multiple
systems at a time in a script, it was not clearly obvious to me that it
was failing.

And so when ipa-client-install flakes out, of course what is left is
the previous instance of the node in FreeIPA complete with the previous
instance's SSH keys.

b.

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to