#5050 Do we clean Kerberos kernel keyring when uninstall?
Closed: wontfix 5 years ago by rcritten. Opened 8 years ago by dpal.

This is a task inspired by ticket #4956. I wonder whether we clean kerberos ticket cache when we uninstall ipa-client. If we do then we are all set. If we do not this probably should be turned into a bug and eventually addressed.


My experiences indicate that for FreeIPA 4.1 the ticket cache is NOT being cleaned, and this causes problems when switching a free-ipa host from one Server / KDC to another.

See the thread https://www.redhat.com/archives/freeipa-users/2015-June/msg00138.html

We were switching 30 + free-ipa hosts from an old 3.3.3 to a new 4..1 FreeIPA Server.

Hosts running EL 6.5 + ipa-client 3.3.3 + sssd 1.9.2 switched without problem (which indicates that either the caches were cleared, or not required).

Newly installed EL 7.1 + ipa-client 4.1 + sssd 1.12.2 hosts successfully registered with the new 4.1 Server (these had never been registered with the old 3.3.3 Server)

EL 7.1 + ipa-client 4.1 + sssd 1.12.2 that had previously been members of the 3.3.3 Server were problematic. While these hosts appeared to join the new 4.1 Server without visible problem, they no longer authenticated valid free-ipa users (e.g. remote ssh login with password).

To successfully switch these problem hosts we needed to manually clear the sssd caches (step 2) below).

1) ipa-client-install --uninstall

2) rm -f /var/lib/sss/db/*

3) ipa-client-install --server ldap.my.example.com --domain

Step 2) above cleans SSSD cache. I am talking about Kerberos ticket cache.

Which ccache are you concerned about? All users, the host ccache, both?

The user's ccache should be fine as tickets should be selected based on the destination realm. I am mostly worried about the host ticket for realm A that might be still lingering while the host is already switched from realm A to realm B. May be it is not a problem but I just not sure if it really not a problem.

triage comments:

  • I am not sure we should do this. We already had BIG trouble in the installers when we tried to remove
    • ab: we should not but print a warning
    • npmccallum: if DNS is not configured, the tickets are unusable since configuration is removed.

This ticket is a task to check whether we need to do something in this area or not. If we think that we should not do anything just close the ticket.

Metadata Update from @dpal:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

7 years ago

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata