while testing replication promotion code we found an issue with remaining keytabs from previous installs, prventinh autentication with ipa command.
Her ios what is left after uninstall:
Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring ipa-custodia Unconfiguring ipa_memcached Unconfiguring ipa-otpd Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255 Unenrolling client from IPA server Unenrolling host failed: Error obtaining initial credentials: Key table entry not found. Removing Kerberos service principals from /etc/krb5.keytab Failed to remove Kerberos service principals: Command ''/usr/sbin/ipa-rmkeytab' '-k' '/etc/krb5.keytab' '-r' 'ABC.IDM.LAB.ENG.BRQ.REDHAT.COM'' returned non-zero exit status 5 Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. # find /etc -name "*keytab" /etc/httpd/conf/ipa.keytab /etc/krb5.keytab /etc/named.keytab /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
I wonder why is the uninstaller running another IPA client uninstall after IPA master is removed.
IMHO IPA client configuration (including emptying host keytab) is run as a second step of IPA server uninstallation as you can see from the output. Running another client uninstallation after this is bound for failure.
Also should we remove /etc/krb5.keytab after IPA server/replica uninstallation? IIRC it is used also for other services so it is probably best to only remove IPA-specific principal from it.
master:
Metadata Update from @lkrispen: - Issue assigned to mbabinsk - Issue set to the milestone: FreeIPA 4.3
Login to comment on this ticket.