[Freeipa-users] ipa-client-install errors
Rob Crittenden
rcritten at redhat.com
Wed Apr 20 19:14:08 UTC 2016
Gady Notrica wrote:
> Thank you guys for your help.
>
> Still can't enroll the client. Any suggestion on the errors below?
>
> /Kerberos authentication failed: kinit: Improper format of Kerberos
> configuration file while initializing Kerberos 5 library/
What does /etc/krb5.conf look like?
> Installation failed. Rolling back changes.
>
> /Failed to list certificates in /etc/ipa/nssdb: Command
> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
> status 255/
This is unrelated to the enrollment problem.
rob
>
> Disabling client Kerberos and LDAP configurations
>
> Gady Notrica
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica
> Sent: April 20, 2016 2:12 PM
> To: Rob Crittenden; Martin Basti; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] ipa-client-install errors
>
> Any specific command in particular to remove that keytab?
>
> Since these don't work
>
> [root at cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
> Kerberos context initialization failed
>
> [root at prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k
> /etc/krb5.keytab Kerberos context initialization failed
>
> [root at cprddb1 /]#
>
> Gady
>
> -----Original Message-----
>
> From: Rob Crittenden [mailto:rcritten at redhat.com]
>
> Sent: April 20, 2016 1:59 PM
>
> To: Martin Basti; Gady Notrica; freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>
>
> Subject: Re: [Freeipa-users] ipa-client-install errors
>
> Martin Basti wrote:
>
> >
>
> >
>
> > On 20.04.2016 18:00, Gady Notrica wrote:
>
> >>
>
> >> Hello World,
>
> >>
>
> >> I am having these errors trying to install ipa-client-install. Every
>
> >> other machine is fine and they IPA servers are functioning perfectly
>
> >>
>
> >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
>
> >>
>
> >> Kerberos authentication failed: kinit: Improper format of Kerberos
>
> >> configuration file while initializing Kerberos 5 library
>
> >>
>
> >> Then I have "/Installation failed. Rolling back changes."/
>
> >>
>
> >> I have tried everything I know with no luck. Any idea on how to FIX
>
> >> this? Below is the full log.
>
> >>
>
> >> -----------------------------------------------------------
>
> >>
>
> >> /Continue to configure the system with these values? [no]: yes/
>
> >>
>
> >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/
>
> >>
>
> >> /Skipping synchronizing time with NTP server./
>
> >>
>
> >> /User authorized to enroll computers: admin/
>
> >>
>
> >> /Password for admin at IPA.DOMAIN.COM:/ <mailto:admin at IPA.DOMAIN.COM:/>
>
> >>
>
> >> /Please make sure the following ports are opened in the firewall
>
> >> settings:/
>
> >>
>
> >> /TCP: 80, 88, 389/
>
> >>
>
> >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/
>
> >>
>
> >> /Also note that following ports are necessary for ipa-client working
>
> >> properly after enrollment:/
>
> >>
>
> >> /TCP: 464/
>
> >>
>
> >> /UDP: 464, 123 (if NTP enabled)/
>
> >>
>
> >> /Kerberos authentication failed: kinit: Improper format of Kerberos
>
> >> configuration file while initializing Kerberos 5 library/
>
> >>
>
> >> //
>
> >>
>
> >> /Installation failed. Rolling back changes./
>
> >>
>
> >> /Failed to list certificates in /etc/ipa/nssdb: Command
>
> >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
>
> >> exit status 255/
>
> >>
>
> >> /Disabling client Kerberos and LDAP configurations/
>
> >>
>
> >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
>
> >> /etc/sssd/sssd.conf.deleted/
>
> >>
>
> >> /Restoring client configuration files/
>
> >>
>
> >> /nscd daemon is not installed, skip configuration/
>
> >>
>
> >> /nslcd daemon is not installed, skip configuration/
>
> >>
>
> >> /Client uninstall complete./
>
> >>
>
> >> /---------------------------------------------------------------/
>
> >>
>
> >> Gady
>
> >>
>
> >>
>
> >>
>
> > Hello,
>
> >
>
> > IMO you have an old invalid keytab on that machine. Can you manually
>
> > remove it and try to reinstall client? (Of course only if you are sure
>
> > that keytab there is not needed)
>
> >
>
> > The keytab should be located here /etc/krb5.keytab
>
> That or /etc/krb5.conf is messed up in some way.
>
> rob
>
> --
>
> Manage your subscription for the Freeipa-users mailing list:
>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Go to http://freeipa.org for more info on the project
>
More information about the Freeipa-users
mailing list