[Freeipa-users] Unable to authenticate a client user against IPA
Dmitri Pal
dpal at redhat.com
Wed Mar 9 20:21:27 UTC 2011
On 03/09/2011 03:09 PM, Steven Jones wrote:
> On Wed, 2011-03-09 at 14:42 -0500, Dmitri Pal wrote:
>> On 03/09/2011 02:21 PM, Steven Jones wrote:
>>> Hi,
>>>
>>> I had/have already done the uninstall...and re-install.
>>>
>>> Also I registered a brand new 2nd client...that hasnt worked
>>> either......
>>>
>> How did you create the host record for it on the server?
>>
>
> I didnt, I ran ipa-client-install from the client....
>
> I have just run with the --uninstall flag and then re-run and its
> failing as the client record was not removed...
>
> "Joining realm failed: Host is already joined"
>
> So the un-install script/flag isnt removing the client/host
We have a bug when it does not remove the keytab on the client.
It is addressed but have not yet been in the build you are using.
When you uninstall the machine tries to remove it keytab from the server
(if it is accessible).
If the server is not accessible for whatever reason you have to clean
keytab on the host entry manually.
I either via the ipa host commands or via ipa-rmkeytab remotely.
The actual entry is not removed.
1) Run unsinstall on the client
2) Make sure that the host entry is clean. Remove it on the server and
re-add again.
3) Remove the keytab file and cert on the client (these bugs are fixed
https://fedorahosted.org/freeipa/ticket/1028
https://fedorahosted.org/freeipa/ticket/1029)
4) Install client again
Everything should work.
If not please send us the logs.
> regards
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list