Issue #5243: ipa uninstall does not remove keytabs - freeipa

freeipa

#5243 ipa uninstall does not remove keytabs

Closed: Fixed None Opened 8 years ago by lkrispen.

while testing replication promotion code we found an issue with remaining keytabs from previous installs, prventinh autentication with ipa command.

Her ios what is left after uninstall:

Shutting down all IPA services
Removing IPA client configuration
Unconfiguring ntpd
Configuring certmonger to stop tracking system certificates for KRA
Configuring certmonger to stop tracking system certificates for CA
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa-custodia
Unconfiguring ipa_memcached
Unconfiguring ipa-otpd
Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255
Unenrolling client from IPA server
Unenrolling host failed: Error obtaining initial credentials: Key table entry not found.

Removing Kerberos service principals from /etc/krb5.keytab
Failed to remove Kerberos service principals: Command ''/usr/sbin/ipa-rmkeytab' '-k' '/etc/krb5.keytab' '-r' 'ABC.IDM.LAB.ENG.BRQ.REDHAT.COM'' returned non-zero exit status 5
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
# find /etc -name "*keytab"
/etc/httpd/conf/ipa.keytab
/etc/krb5.keytab
/etc/named.keytab
/etc/ipa/dnssec/ipa-dnskeysyncd.keytab

mbabinsk commented 8 years ago

I wonder why is the uninstaller running another IPA client uninstall after IPA master is removed.

IMHO IPA client configuration (including emptying host keytab) is run as a second step of IPA server uninstallation as you can see from the output. Running another client uninstallation after this is bound for failure.

Also should we remove /etc/krb5.keytab after IPA server/replica uninstallation? IIRC it is used also for other services so it is probably best to only remove IPA-specific principal from it.

mbasti commented 8 years ago

master:

117bf5a remove Kerberos authenticators when installing/uninstalling service instance

Metadata Update from @lkrispen:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.3

7 years ago

Metadata

Assignee

mbabinsk

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.3

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

pspacek

external_tracker

None

rhbz

todo

tester

None

changelog

None

design

None

freeipa

Source Code

#5243 ipa uninstall does not remove keytabs Closed: Fixed None Opened 8 years ago by lkrispen.

Metadata

#5243 ipa uninstall does not remove keytabs

Closed: Fixed None Opened 8 years ago by lkrispen.