ipa-client-install --uninstall breaks host login with SELinux errors

Solution Verified - Updated -

Issue

  • When we run a ipa-client-install --uninstall with SE Linux enforced, we cannot login using ssh keys or password via console after reboot. An autorelabel is required to fix the SElinux labels:
# ipa-client-install --uninstall
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.
The original nsswitch.conf configuration has been restored.
You may need to restart services or reboot the machine.
Do you want to reboot the machine? [no]: no
The ipa-client-install command was successful
  • Then login or passwd command fails:
# passwd
Changing password for user root.
passwd: Permission denied

Environment

  • Red Hat Entreprise Linux
  • SElinux
  • ipaclient

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content