Hi, I have a few problems with ipa client installations against ipa server.
The history which led to these problems are tho following. 1. I have first installed Freeipa server on Fedora-20, and was testing and evaluating how it works and what are the features for a while. 2. While I was evaluating, Red Hat published RHEL-7. I tested ipa-client integration from RHEL-7 destkops to Fedora's FreeIPA server. It was working fine. Also I noticed that the features I needed exists in RHEL-7 supported IPA server. 3. Because there was no way to upgrade or migrate data from Fedora's FreeIPA to RHEL-7 IPA, I made new fresh installation of IPA server on RHEL-7 and wanted to move clients off Fedora's domain and join new one, although they had the same domain name for DNS and kerberos. 4. I ran "ipa-client-install --uninstall" on RHEL-7 destkop, and rebooted it when prompted. 5. I ran "ipa-client-install" to joun new IPA servers, it reported success. Now I have the following working: 1. I can ssh passwordless and without ssh public keys from hosts which have good kerberos ticket obtained from RHEL-7 ipa server to this problematic desktop computer. 2. I can see users there by typing "id <username>". 3. Password sudo authentication against IPA on this computer. What does not work: 1. local login with IPA credentials: complains about wrong password. 2. SSH from other hosts with password authentication, - the same "wrong password". I tried as a temporary workaround and created local user entry in /etc/shadow by --- getent passwd <username> >> /etc/passwd pwconv chpasswd <username>:<anotherpassword> ^D --- and was able to login with this password, both local and remotely with ssh. Interesting, I've verified: IPA password works for sudo but not for login. But: 1. I was not able to use Gnome desktop environment: all windows were black rectangles. KDE was working fine. 2. I was not able to point firefox to new IPA server: "Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial)" Where firefox stores these certificates, and how I can replace the one from Fedora's FreeIPA server authority by new ones? -- Regards, Sergey Ivanov | [email protected] http://www.linkedin.com/pub/sergey-ivanov/8/270/a09 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
