[Freeipa-users] Client not installing

Craig Parker craig at paragon.net.uk
Thu Oct 2 22:52:42 UTC 2014 

On 02/10/14 15:36, Hatim Diab wrote:
> Hi All,
>
> I have a new installation of freeipa
>
> ipa-server-3.0.0-37.el6.x86_64
> on CentOS 6.5
>
> one of my clients stopped authentication last night, I performed a ipa-client-install —uninstall from the client then on trying to delete the the host
>
> # ipa host-del client.x.y.z
> ipa: ERROR: Certificate format error: [Errno -5925] error (-5925) unknown
>
> /var/log/krb5kdc.log
> Oct 02 10:27:07 <server> krb5kdc[30623](info): TGS_REQ (4 etypes {18 17 16 23}) <server_IP>: ISSUE: authtime 1412221207, etypes {rep=18 tkt=18 ses=18}, HTTP/<server>@<realm> for ldap/<server>@<realm>
> Oct 02 10:27:07 <server> krb5kdc[30623](info): ... CONSTRAINED-DELEGATION s4u-client=admin@<realm>
>
> trying to add back the client
> [root at client ~]# ipa-client-install --domain=<doamin> --server=<server>
> Autodiscovery of servers for failover cannot work with this configuration.
> If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
> Proceed with fixed values and no DNS discovery? [no]: yes
> Hostname: <server>
> Realm: <realm>
> DNS Domain: <domain>
> IPA Server: <server>
> BaseDN: dc=<baseDN>
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Password for admin@<realm>:
> Successfully retrieved CA cert
>      Subject:     CN=Certificate Authority,O=<realm>
>      Issuer:      CN=Certificate Authority,O=<realm>
>      Valid From:  Sun Sep 21 20:42:12 2014 UTC
>      Valid Until: Thu Sep 21 20:42:12 2034 UTC
>
> Joining realm failed: RPC failed at server.  Certificate format error: [Errno -5925] error (-5925) unknown
>
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
> Cheers,
> Tim
>
>

It could be related to this  bug - 
https://bugzilla.redhat.com/show_bug.cgi?id=738456 as I ran into an 
issue where I was getting an "error (-5925)", downgrading nss fixed it 
for me.

Unless error 5925 applies to many things, in which case ignore me. :)

-- 
Craig Parker
Senior Systems Administrator | Paragon Internet Group

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141002/dad2fec4/attachment.htm>

More information about the Freeipa-users mailing list