#2497 When machine gets IPA-enrolled to different IPA with the same domain name and the same users, caches prevent correct operation
Closed: wontfix 4 months ago by pbrezina. Opened 5 years ago by adelton.

Recently I've created IPA + IPA-enrolled machine for testing purposes.

Then I run ipa-client-install --uninstall, created completely different IPA installation (different version even) but with the same domain and the same users.

I've IPA-enrolled the machine back but PAM authentication did not work.

Jakub says that you need to remove the sssd cache to get rid of the old uids.

This ticket is about making sure people don't hit the problem.

Possible solutions: loud warning about reusing the same domain name; removing the cache either during --uninstall or during ipa-client-install; comparing host's key timestamp in the keytab with the cache timestamp; something else.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.14 beta

Fields changed

rhbz: => todo

We need to first fix #2671, which would allow the ipa installer tools to call sss_cache --remove-db or similar. btw we also had a similar request from the realmd side.

blockedby: => #2671
milestone: SSSD 1.14 beta => SSSD 1.14 backlog
sensitive: => 0

Fields changed

selected: => May

The manual cache removal is now implemented in sssctl. In order for this scenario to work automagically, ticket #884 must be implemented as well. In the meantime, I at least documented this in the troubleshooting guide:

milestone: SSSD 1.14 backlog => SSSD Patches welcome

Metadata Update from @adelton:
- Issue marked as depending on: #2671
- Issue set to the milestone: SSSD Patches welcome

3 years ago

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

4 months ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3539

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.