I have another reason to want to do a reinstall.
I have 3 Centos 7 servers. I want to move to Centos 8. (eventually. I’ll do some testing
first). The official approach is a new installation. Obviously I can create 3 replicas and
kill the originals. But then I’ll have to find every client and update the hostnames of
the servers in their configurations. We use DNS discovery where possible, but we have
software that can’t do it, and of course the admin server attribute in krb5.conf doesn’t
support it. Trying to find everything that needs reconfiguring is going to be a bit of a
mess.
I’d like to end up with new servers having the same hostnames. This is a bit of a
different situation from the original request, since I have all the data on 3 servers.
Does it make sense to kill a replica and then create a new replica with the same
hostname?
Last time I tried to kill a replica and reinstall, it failed. There were things left over
preventing the installation. But that was a couple of years ago, so things might be better
now.
On Sep 19, 2019, at 11:51 AM, Albert Szostkiewicz via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Thanks for reply Rob!
> /var/log/krb5kdc.log might have more details on the GSS failures, or the
> journal.
Yeah, I've checked that as well. Unfortunately 'Preauthentication failed' Was
no more explanatory to me.
After two weeks of searching for answers, I gave up and decided to reinstall ipa
server.
I guess, one has to have much deeper knowledge to use it properly and I am just a mortal
user :)
/var/log/krb5kdc.log
38:21 (info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: ISSUE: authtime
1568572691, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
ses=aes256-cts-hmac-sha1-96(18)}, admin(a)HOME.MYDOMAIN.COM for
HTTP/ipa.home.mydomain.com(a)HOME.MYDOMAIN.COM
38:21 (info): closing down fd 11
38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH:
HTTP/ipa.home.mydomain.com(a)HOME.MYDOMAIN.COM for
krbtgt/HOME.MYDOMAIN.COM(a)HOME.MYDOMAIN.COM, Additional pre-authentication required
38:21 (info): closing down fd 11
38:21 (info): preauth (spake) verify failure: Preauthentication failed
38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
camellia256-cts-cmac(26)}) 10.0.1.10: PREAUTH_FAILED:
HTTP/ipa.home.mydomain.com(a)HOME.MYDOMAIN.COM for
krbtgt/HOME.MYDOMAIN.COM(a)HOME.MYDOMAIN.COM, Preauthentication failed
38:21 (info): closing down fd 11
38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH:
HTTP/ipa.home.mydomain.com(a)HOME.MYDOMAIN.COM for
krbtgt/HOME.MYDOMAIN.COM(a)HOME.MYDOMAIN.COM, Additional pre-authentication required
38:21 (info): closing down fd 11
38:21 (info): preauth (spake) verify failure: Preauthentication failed
38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
camellia256-cts-cmac(26)}) 10.0.1.10: PREAUTH_FAILED:
HTTP/ipa.home.mydomain.com(a)HOME.MYDOMAIN.COM for
krbtgt/HOME.MYDOMAIN.COM(a)HOME.MYDOMAIN.COM, Preauthentication failed
38:21 (info): closing down fd 11
Cheers!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...