Brian J. Murrell wrote:
> On Wed, 2015-11-04 at 15:37 -0500, Brian J. Murrell wrote:
>> I am trying to re-enroll clients after re-installing their O/S (EL6)
>> using:
>>
>> # ipa-client-install --force-join ...
>>
>> Per http://www.freeipa.org/page/V3/Forced_client_re-enrollment but I
>> am
>> finding that after doing that for a given host, trying to ssh to it
>> from another enrolled IPA client I am getting:
>>
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>> Someone could be eavesdropping on you right now (man-in-the-middle
>> attack)!
>> It is also possible that a host key has just been changed.
>> The fingerprint for the RSA key sent by the remote host is
>> 15:db:4d:e2:8b:c2:b8:3d:da:93:90:06:f2:f1:d6:21.
>> Please contact your system administrator.
>> Add correct host key in /dev/null to get rid of this message.
>> Offending DSA key in /var/lib/sss/pubconf/known_hosts:4
>> Keyboard-interactive authentication is disabled to avoid man-in-the
>> -middle attacks.
>> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
> 
> So the problem here was not really anything to do with the above but
> rather that ipa-client-install is flaky and can fail when running it a
> few seconds later it succeeds.  Since I am provisioning multiple
> systems at a time in a script, it was not clearly obvious to me that it
> was failing.

What is "flaky" about it?

> And so when ipa-client-install flakes out, of course what is left is
> the previous instance of the node in FreeIPA complete with the previous
> instance's SSH keys.

Without any details it's hard to say what is going on. Having a
side-by-side of an unsuccessful install log and a successful install log
a few seconds later would be very helpful.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to