<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:14px"><div id="yui_3_16_0_ym19_1_1464026170140_9135">Rob</div><div id="yui_3_16_0_ym19_1_1464026170140_9491">Thanks for the reply. <br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1464026170140_9086"><span id="yui_3_16_0_ym19_1_1464026170140_9565">I didn't find anything obvious in /var/log/dirsrv/slapd-/access and errors  and /var/log/krb5kdc.log </span></div><div id="yui_3_16_0_ym19_1_1464026170140_10003">Do you know which service is responsible for providing  "/etc/krb5.keytab" to the client?<br></div><div dir="ltr"></div><div class="qtdSeparateBR"><br><br></div><div style="display: block;" class="yahoo_quoted"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 14px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"><font face="Arial" size="2"> On Monday, May 23, 2016 2:57 PM, Rob Crittenden <rcritten@redhat.com> wrote:<br></font></div>  <br><br> <div class="y_msg_container">Ask Stack wrote:<div class="yqt7051904539" id="yqtfd70379"><br clear="none">> My company's ipa-client-install fail very often. Debug logs show the<br clear="none">> process always failed at getting the /etc/krb5.keytab .<br clear="none">> Is there a way to modify the script to increase number of attempts to<br clear="none">> create /etc/krb5.keytab ?<br clear="none">><br clear="none">> I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to obtain<br clear="none">> host TGT (defaults to 5)." But it comes after setting up the<br clear="none">> "/etc/krb5.keytab" file.<br clear="none">> Thanks.<br clear="none">><br clear="none">> server<br clear="none">> ipa-server-3.0.0-47.el6_7.1.x86_64<br clear="none">><br clear="none">> cleint<br clear="none">> ipa-client-3.0.0-47.el6_7.2.x86_64<br clear="none">> ipa-client-3.0.0-50.el6.1.x86_64<br clear="none">><br clear="none">><br clear="none">> #SUCCESSFUL ATTEMPT<br clear="none">><br clear="none">> </member>\n<br clear="none">> </struct></value>\n<br clear="none">> </data></array></value>\n<br clear="none">> </param>\n<br clear="none">> </params>\n<br clear="none">> </methodResponse>\n<br clear="none">><br clear="none">> Keytab successfully retrieved and stored in: /etc/krb5.keytab<br clear="none">> Certificate subject base is: O=TEST.COM<br clear="none">><br clear="none">> 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM<br clear="none">> 2016-05-23T14:40:49Z DEBUG args=kdestroy<br clear="none">> 2016-05-23T14:40:49Z DEBUG stdout=<br clear="none">> 2016-05-23T14:40:49Z DEBUG stderr=<br clear="none">><br clear="none">><br clear="none">><br clear="none">> #FAILED ATTEMPT<br clear="none">><br clear="none">> </member>\n<br clear="none">> </struct></value>\n<br clear="none">> </data></array></value>\n<br clear="none">> </param>\n<br clear="none">> </params>\n<br clear="none">> </methodResponse>\n<br clear="none">><br clear="none">> ipa-getkeytab: ../../../libraries/libldap/extended.c:177:<br clear="none">> ldap_parse_extended_result: Assertion `res != ((void *)0)' failed.<br clear="none">> Certificate subject base is: O=TEST.COM<br clear="none">><br clear="none">> 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM<br clear="none">> 2016-05-23T14:37:08Z DEBUG args=kdestroy<br clear="none">> 2016-05-23T14:37:08Z DEBUG stdout=<br clear="none">> 2016-05-23T14:37:08Z DEBUG stderr=</div><br clear="none"><br clear="none">There is no retry capability and in some cases would be impossible to <br clear="none">add (the one-time password case). Can you check /var/log/krb5kdc on the <br clear="none">IPA master it connected to, and the 389-ds access and errors logs as <br clear="none">well. Perhaps one of those will have more information on why things failed.<br clear="none"><br clear="none">rob<div class="yqt7051904539" id="yqtfd45858"><br clear="none"><br clear="none"></div><br><br></div>  </div> </div>  </div></div></body></html>