ipa-client-install fails to update DNS entry for a server that was reinstalled from CentOS 7 -> 8 (it was previous registered)
nsupdate fails with the message: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = KDC returned error string: NO PREAUTH.
all dns entries updated (specially the SSHFP values)
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server Client:
package freeipa-server is not installed package freeipa-client is not installed package ipa-server is not installed ipa-client-4.9.6-6.module+el8.5.0+674+69615a50.x86_64 package 389-ds-base is not installed package pki-ca is not installed package krb5-server is not installed
Server:
package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64 pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch krb5-server-1.18.2-14.el8.x86_64
Jan 12 15:49:54 ipa named-pkcs11[3283]: client @0x7f3d2efa02c0 192.168.8.24#51837: update '168.192.in-addr.arpa/IN' denied Jan 12 16:35:45 ipa named-pkcs11[3283]: client @0x7f3d2e93e650 192.168.8.110#45391: received notify for zone 'o2pos.com.br' Jan 12 16:35:45 ipa named-pkcs11[3283]: zone o2pos.com.br/IN: sending notifies (serial 1642016145) Jan 12 16:36:18 ipa named-pkcs11[3283]: client @0x7f3d2405da00 192.168.8.116#46955: update 'o2pos.com.br/IN' denied Jan 12 16:36:18 ipa named-pkcs11[3283]: client @0x7f3d268dbfb0 192.168.8.116#46955: update 'o2pos.com.br/IN' denied Jan 12 16:36:18 ipa.o2pos.com.br named-pkcs11[3283]: client @0x7f3d2405da00 192.168.8.116#46955: update 'o2pos.com.br/IN' denied Jan 12 16:36:18 ipa.o2pos.com.br named-pkcs11[3283]: client @0x7f3d32afd7c0 192.168.8.116#46955: update 'o2pos.com.br/IN' denied Jan 12 16:36:18 ipa.o2pos.com.br named-pkcs11[3283]: client @0x7f3d32afd7c0 192.168.8.116#46955: update 'o2pos.com.br/IN' denied Jan 12 16:36:18 ipa.o2pos.com.br named-pkcs11[3283]: client @0x7f3d2405da00 192.168.8.116#46955: update 'o2pos.com.br/IN' denied Jan 12 16:36:18 ipa.o2pos.com.br named-pkcs11[3283]: client @0x7f3d2405da00 192.168.8.116#44190: update 'o2pos.com.br/IN' denied Jan 12 16:36:18 ipa.o2pos.com.br named-pkcs11[3283]: client @0x7f3d32afd7c0 192.168.8.116#44190: update 'o2pos.com.br/IN' denied
Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting
<img alt="ipaclient-install.log" src="/freeipa/issue/raw/files/3515a1b4ae05afb5647aa315e139e408ee81da3c05d52f879366dcf65295bd3a-ipaclient-install.log" />
What do you mean re-installed? As in a whole new installation? If so the Kerberos master key changed and the client needs to be re-enrolled completely.
I mean, the whole operational system is reinstalled (due a crash or upgrade) and you need to enroll it again with the "ipa-client-install --force" command
A re-install generates a new Kerberos master key and CA. The client must be re-installed from scratch to pick this up.
Metadata Update from @rcritten: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Metadata Update from @ricardoalonso: - Issue status updated to: Open (was: Closed)
It's the client reinstall, not the server. The server hasn't changed. I updated the description.
What's the use-case here? The client went away somehow so you're installing it as a client again. Why use --force? That will not cause the installation to fail if the enrollment does but it also won't get a new keytab, hence the GSS errors you report.
Are you trying to retain the original host and service entries for some reason? Those services, if they have keytabs, will need to be re-generated as well. And any certificates re-issued.
I suspect what you want is run ipa host-disable <host> first which if memory services will drop the keytab and allow for more graceful re-enrollment.
ipa host-disable <host>
Login to comment on this ticket.