[Freeipa-users] Client not installing

Rob Crittenden rcritten at redhat.com
Fri Oct 3 03:22:51 UTC 2014

Craig Parker wrote:
> On 02/10/14 15:36, Hatim Diab wrote:
>> Hi All,
>> I have a new installation of freeipa 
>> ipa-server-3.0.0-37.el6.x86_64
>> on CentOS 6.5
>> one of my clients stopped authentication last night, I performed a ipa-client-install —uninstall from the client then on trying to delete the the host 
>> # ipa host-del client.x.y.z
>> ipa: ERROR: Certificate format error: [Errno -5925] error (-5925) unknown
>> /var/log/krb5kdc.log
>> Oct 02 10:27:07 <server> krb5kdc[30623](info): TGS_REQ (4 etypes {18 17 16 23}) <server_IP>: ISSUE: authtime 1412221207, etypes {rep=18 tkt=18 ses=18}, HTTP/<server>@<realm> for ldap/<server>@<realm>
>> Oct 02 10:27:07 <server> krb5kdc[30623](info): ... CONSTRAINED-DELEGATION s4u-client=admin@<realm>
>> trying to add back the client 
>> [root at client ~]# ipa-client-install --domain=<doamin> --server=<server>
>> Autodiscovery of servers for failover cannot work with this configuration.
>> If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
>> Proceed with fixed values and no DNS discovery? [no]: yes
>> Hostname: <server>
>> Realm: <realm>
>> DNS Domain: <domain>
>> IPA Server: <server>
>> BaseDN: dc=<baseDN>
>> Continue to configure the system with these values? [no]: yes
>> User authorized to enroll computers: admin
>> Synchronizing time with KDC...
>> Password for admin@<realm>: 
>> Successfully retrieved CA cert
>>     Subject:     CN=Certificate Authority,O=<realm>
>>     Issuer:      CN=Certificate Authority,O=<realm>
>>     Valid From:  Sun Sep 21 20:42:12 2014 UTC
>>     Valid Until: Thu Sep 21 20:42:12 2034 UTC
>> Joining realm failed: RPC failed at server.  Certificate format error: [Errno -5925] error (-5925) unknown
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>> Cheers,
>> Tim
> It could be related to this  bug -
> https://bugzilla.redhat.com/show_bug.cgi?id=738456 as I ran into an
> issue where I was getting an "error (-5925)", downgrading nss fixed it
> for me.
> Unless error 5925 applies to many things, in which case ignore me. :)

I think in this case a certificate (or something) is stored in LDAP that
is unreadable by NSS.

It would be handy to know what is in there so we can handle this more
gracefully. You'll probably need to use ldapsearch to get the entry
since IPA is throwing up on it.

Something like:

$ kinit admin
$ ldapsearch -Y GSSAPI -b

This should just be a public cert, but feel free to send this to me
directly if you'd like.

To delete the value do something like:

$ ldapmodify -Y GSSAPI
dn: fqdn=client.x.y.z,cn=computers,cn=accounts,dc=x,dc=y,dc=z
changetype: modify
delete: userCertificate


Then ipa host-del should work.


More information about the Freeipa-users mailing list