I ran some more tests and I've found that it's a general sssd issue which affects everything handled by sssd (pam, ssh, sudo). I see similar problems with 'su - username'. I'm guessing that kinit works since it bypasses sssd. Does anyone have any ideas on debugging this?
On Tue, Mar 17, 2015 at 2:54 PM, Prasun Gera <[email protected]> wrote: > Sorry, the message got sent accidentally earlier before I could provide > all the details. > > Version: 4.1.0 on RHEL 7.1 x86_64 > > Steps: > 1. ipa-server-install > 2. service sshd restart > 3. kinit admin <- This always works > 4. ssh admin@localhost <- This works for the first time, > fails second time onwards > ssh admin@host_addr from external system <- This also works the > first time, fails second time onwards > > 5. ipa-server-install --uninstall > 6. go to 1 > > The log messages in /var/log/messages point to [sssd[krb5_child[21029]]]: > Decrypt integrity check failed at the point of the authentication failure > sssd's log's have a lot of "No matching domain found for user" messages. > /var/log/krb5kdc.log has a lot of error decoding FAST: <unknown client> > for <unknown server>, Decrypt integrity check failed while handling > ap-request armor > > The only ERROR I can see in /var/log/ipaserver-uninstall.log is > pkidestroy : ERROR ....... subprocess.CalledProcessError: Command > '['/usr/bin/sslget', '-n', 'subsystemCert cert-pki-ca', ......returned > non-zero exit status 6! > > > It appears that the uninstall process is leaving some residual > configuration behind which is conflicting with the subsequent installation > with the same domain name > > > Regards, > Prasun > > > > > > > > On Tue, Mar 17, 2015 at 2:41 PM, Prasun Gera <[email protected]> > wrote: > >> Hello, >> I installed the ipa-server on an RHEL 7.1 system, uninstalled it and >> reinstalled it with the same domain name as the first time. This somehow >> creates problems with ssh authentication on the server from external >> systems as well as from the server itself. >> >> Steps: >> 1. ipa-server-install >> 2. service sshd restart >> 3. kinit admin >> 4. ssh admin@localhost >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
