I have another reason to want to do a reinstall.
I have 3 Centos 7 servers. I want to move to Centos 8. (eventually. I’ll do
some testing first). The official approach is a new installation. Obviously I
can create 3 replicas and kill the originals. But then I’ll have to find every
client and update the hostnames of the servers in their configurations. We use
DNS discovery where possible, but we have software that can’t do it, and of
course the admin server attribute in krb5.conf doesn’t support it. Trying to
find everything that needs reconfiguring is going to be a bit of a mess.
I’d like to end up with new servers having the same hostnames. This is a bit of
a different situation from the original request, since I have all the data on 3
servers. Does it make sense to kill a replica and then create a new replica
with the same hostname?
Last time I tried to kill a replica and reinstall, it failed. There were things
left over preventing the installation. But that was a couple of years ago, so
things might be better now.
> On Sep 19, 2019, at 11:51 AM, Albert Szostkiewicz via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org> wrote:
>
> Thanks for reply Rob!
>
>> /var/log/krb5kdc.log might have more details on the GSS failures, or the
>> journal.
>
> Yeah, I've checked that as well. Unfortunately 'Preauthentication failed' Was
> no more explanatory to me.
> After two weeks of searching for answers, I gave up and decided to reinstall
> ipa server.
>
> I guess, one has to have much deeper knowledge to use it properly and I am
> just a mortal user :)
>
> /var/log/krb5kdc.log
> 38:21 (info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18),
> aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20),
> aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16),
> DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
> camellia256-cts-cmac(26)}) 10.0.1.10: ISSUE: authtime 1568572691, etypes
> {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
> ses=aes256-cts-hmac-sha1-96(18)}, ad...@home.mydomain.com for
> HTTP/ipa.home.mydomain....@home.mydomain.com
> 38:21 (info): closing down fd 11
> 38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18),
> aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20),
> aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16),
> DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
> camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH:
> HTTP/ipa.home.mydomain....@home.mydomain.com for
> krbtgt/home.mydomain....@home.mydomain.com, Additional pre-authentication
> required
> 38:21 (info): closing down fd 11
> 38:21 (info): preauth (spake) verify failure: Preauthentication failed
> 38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18),
> aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20),
> aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16),
> DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
> camellia256-cts-cmac(26)}) 10.0.1.10: PREAUTH_FAILED:
> HTTP/ipa.home.mydomain....@home.mydomain.com for
> krbtgt/home.mydomain....@home.mydomain.com, Preauthentication failed
> 38:21 (info): closing down fd 11
> 38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18),
> aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20),
> aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16),
> DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
> camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH:
> HTTP/ipa.home.mydomain....@home.mydomain.com for
> krbtgt/home.mydomain....@home.mydomain.com, Additional pre-authentication
> required
> 38:21 (info): closing down fd 11
> 38:21 (info): preauth (spake) verify failure: Preauthentication failed
> 38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18),
> aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20),
> aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16),
> DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
> camellia256-cts-cmac(26)}) 10.0.1.10: PREAUTH_FAILED:
> HTTP/ipa.home.mydomain....@home.mydomain.com for
> krbtgt/home.mydomain....@home.mydomain.com, Preauthentication failed
> 38:21 (info): closing down fd 11
>
> Cheers!
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
