On Thu, Aug 3, 2017 at 9:57 PM, Alexandre Pitre via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: > I'm unable to rejoin a CentOS client to my FreeIPA realm. I ran the > uninstall command on my client: ipa-client-install --uninstall > > As far as I know the uninstall was successful. It asked me to reboot. After > rebooting if I try to rerun the install command: > > ipa-client-install -U -p admin -w P@ssw0rd! --enable-dns-updates --mkhomedir > --domain=customdomain.ad.com --realm=IPA.AD.COM --server=ipa01.ipa.ad.com > --server=ipa02.ipa.ad.com --no-ntp --debug > > FYI, we're using a different DNS domain than our freeIPA realm, hence why I > have to provide all those flags. > > Running the install command failed. Here's the output from > /var/log/ipa-client-uninstall.log > > 2017-08-03T19:17:58Z DEBUG stderr= > 2017-08-03T19:17:58Z DEBUG trying to retrieve CA cert via LDAP from > ipa-01.ipa.ad.com > 2017-08-03T19:17:58Z DEBUG get_ca_certs_from_ldap() error: > Insufficientaccess: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Server > krbtgt/ad....@ipa.ad.com not found in Kerberos database) > 2017-08-03T19:17:58Z DEBUG Insufficient access: SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Server krbtgt/ad....@ipa.ad.com not found in Kerberos database) > 2017-08-03T19:17:58Z ERROR In unattended mode without a One Time Password > (OTP) or without --ca-cert-file You must specify --force to retrieve the CA > cert using HTTP > 2017-08-03T19:17:58Z ERROR Cannot obtain CA certificate HTTP certificate > download requires --force > 2017-08-03T19:17:58Z ERROR Installation failed. Rolling back changes. > 2017-08-03T19:17:58Z ERROR IPA client is not configured on this system. > > Do I need to run/clean something else ? This error is consistent with all of > the client I tried to re-join. > > Thanks for your help, > Alex >
Client uninstaller doesn't clean up host and dns records after itself. The reason is that it doesn't run with the privileges as client installer so it doesn't have rights to do the operations. Normally you would get an error that your client is already joined and needs to run it either with --force-join or delete the host record from ipa with `ipa host-del $client` before reinstallation. But in your case it fails much earlier on downloading CA certs from master. Usually GSSAPI auth(using admin credentials with temp. krb5.conf created based on provided params and autodiscovery) works in this case and the cert is downloaded. I'd try to remove the host from server first then try again. If it doesn't help it would be also interesting to see log related to previous installation step - the kerberos configuration and TGT obtaining - or full ipaclient-isntall.log). -- Petr Vobornik _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
