Brian J. Murrell wrote: > On Wed, 2015-11-04 at 15:37 -0500, Brian J. Murrell wrote: >> I am trying to re-enroll clients after re-installing their O/S (EL6) >> using: >> >> # ipa-client-install --force-join ... >> >> Per http://www.freeipa.org/page/V3/Forced_client_re-enrollment but I >> am >> finding that after doing that for a given host, trying to ssh to it >> from another enrolled IPA client I am getting: >> >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! >> Someone could be eavesdropping on you right now (man-in-the-middle >> attack)! >> It is also possible that a host key has just been changed. >> The fingerprint for the RSA key sent by the remote host is >> 15:db:4d:e2:8b:c2:b8:3d:da:93:90:06:f2:f1:d6:21. >> Please contact your system administrator. >> Add correct host key in /dev/null to get rid of this message. >> Offending DSA key in /var/lib/sss/pubconf/known_hosts:4 >> Keyboard-interactive authentication is disabled to avoid man-in-the >> -middle attacks. >> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). > > So the problem here was not really anything to do with the above but > rather that ipa-client-install is flaky and can fail when running it a > few seconds later it succeeds. Since I am provisioning multiple > systems at a time in a script, it was not clearly obvious to me that it > was failing.
What is "flaky" about it? > And so when ipa-client-install flakes out, of course what is left is > the previous instance of the node in FreeIPA complete with the previous > instance's SSH keys. Without any details it's hard to say what is going on. Having a side-by-side of an unsuccessful install log and a successful install log a few seconds later would be very helpful. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
