[Freeipa-users] ipa-client-install errors
Gady Notrica
gnotrica at candeal.com
Wed Apr 20 18:40:57 UTC 2016
Thank you guys for your help.
Still can't enroll the client. Any suggestion on the errors below?
Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library
Installation failed. Rolling back changes.
Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255
Disabling client Kerberos and LDAP configurations
Gady Notrica
-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica
Sent: April 20, 2016 2:12 PM
To: Rob Crittenden; Martin Basti; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors
Any specific command in particular to remove that keytab?
Since these don't work
[root at cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab Kerberos context initialization failed
[root at prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k /etc/krb5.keytab Kerberos context initialization failed
[root at cprddb1 /]#
Gady
-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: April 20, 2016 1:59 PM
To: Martin Basti; Gady Notrica; freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] ipa-client-install errors
Martin Basti wrote:
>
>
> On 20.04.2016 18:00, Gady Notrica wrote:
>>
>> Hello World,
>>
>> I am having these errors trying to install ipa-client-install. Every
>> other machine is fine and they IPA servers are functioning perfectly
>>
>> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
>>
>> Kerberos authentication failed: kinit: Improper format of Kerberos
>> configuration file while initializing Kerberos 5 library
>>
>> Then I have "/Installation failed. Rolling back changes."/
>>
>> I have tried everything I know with no luck. Any idea on how to FIX
>> this? Below is the full log.
>>
>> -----------------------------------------------------------
>>
>> /Continue to configure the system with these values? [no]: yes/
>>
>> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/
>>
>> /Skipping synchronizing time with NTP server./
>>
>> /User authorized to enroll computers: admin/
>>
>> /Password for admin at IPA.DOMAIN.COM:/<mailto:admin at IPA.DOMAIN.COM:/>
>>
>> /Please make sure the following ports are opened in the firewall
>> settings:/
>>
>> /TCP: 80, 88, 389/
>>
>> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/
>>
>> /Also note that following ports are necessary for ipa-client working
>> properly after enrollment:/
>>
>> /TCP: 464/
>>
>> /UDP: 464, 123 (if NTP enabled)/
>>
>> /Kerberos authentication failed: kinit: Improper format of Kerberos
>> configuration file while initializing Kerberos 5 library/
>>
>> //
>>
>> /Installation failed. Rolling back changes./
>>
>> /Failed to list certificates in /etc/ipa/nssdb: Command
>> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
>> exit status 255/
>>
>> /Disabling client Kerberos and LDAP configurations/
>>
>> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
>> /etc/sssd/sssd.conf.deleted/
>>
>> /Restoring client configuration files/
>>
>> /nscd daemon is not installed, skip configuration/
>>
>> /nslcd daemon is not installed, skip configuration/
>>
>> /Client uninstall complete./
>>
>> /---------------------------------------------------------------/
>>
>> Gady
>>
>>
>>
> Hello,
>
> IMO you have an old invalid keytab on that machine. Can you manually
> remove it and try to reinstall client? (Of course only if you are sure
> that keytab there is not needed)
>
> The keytab should be located here /etc/krb5.keytab
That or /etc/krb5.conf is messed up in some way.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160420/d25f28c1/attachment.htm>
More information about the Freeipa-users
mailing list