On Thu, Aug 3, 2017 at 9:57 PM, Alexandre Pitre via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
I'm unable to rejoin a CentOS client to my FreeIPA realm. I ran
the
uninstall command on my client: ipa-client-install --uninstall
As far as I know the uninstall was successful. It asked me to reboot. After
rebooting if I try to rerun the install command:
ipa-client-install -U -p admin -w P@ssw0rd! --enable-dns-updates --mkhomedir
--domain=customdomain.ad.com --realm=IPA.AD.COM --server=ipa01.ipa.ad.com
--server=ipa02.ipa.ad.com --no-ntp --debug
FYI, we're using a different DNS domain than our freeIPA realm, hence why I
have to provide all those flags.
Running the install command failed. Here's the output from
/var/log/ipa-client-uninstall.log
2017-08-03T19:17:58Z DEBUG stderr=
2017-08-03T19:17:58Z DEBUG trying to retrieve CA cert via LDAP from
ipa-01.ipa.ad.com
2017-08-03T19:17:58Z DEBUG get_ca_certs_from_ldap() error:
Insufficientaccess: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Server
krbtgt/AD.COM(a)IPA.AD.COM not found in Kerberos database)
2017-08-03T19:17:58Z DEBUG Insufficient access: SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (Server krbtgt/AD.COM(a)IPA.AD.COM not found in Kerberos database)
2017-08-03T19:17:58Z ERROR In unattended mode without a One Time Password
(OTP) or without --ca-cert-file You must specify --force to retrieve the CA
cert using HTTP
2017-08-03T19:17:58Z ERROR Cannot obtain CA certificate HTTP certificate
download requires --force
2017-08-03T19:17:58Z ERROR Installation failed. Rolling back changes.
2017-08-03T19:17:58Z ERROR IPA client is not configured on this system.
Do I need to run/clean something else ? This error is consistent with all of
the client I tried to re-join.
Thanks for your help,
Alex
Client uninstaller doesn't clean up host and dns records after itself.
The reason is that it doesn't run with the privileges as client
installer so it doesn't have rights to do the operations.
Normally you would get an error that your client is already joined and
needs to run it either with --force-join or delete the host record
from ipa with `ipa host-del $client` before reinstallation.
But in your case it fails much earlier on downloading CA certs from
master. Usually GSSAPI auth(using admin credentials with temp.
krb5.conf created based on provided params and autodiscovery) works in
this case and the cert is downloaded.
I'd try to remove the host from server first then try again. If it
doesn't help it would be also interesting to see log related to
previous installation step - the kerberos configuration and TGT
obtaining - or full ipaclient-isntall.log).
--
Petr Vobornik