[Freeipa-users] ipa-client-install errors

Rob Crittenden rcritten at redhat.com
Wed Apr 20 19:14:08 UTC 2016 

Gady Notrica wrote:
> Thank you guys for your help.
>
> Still can't enroll the client. Any suggestion on the errors below?
>
> /Kerberos authentication failed: kinit: Improper format of Kerberos
> configuration file while initializing Kerberos 5 library/

What does /etc/krb5.conf look like?

> Installation failed. Rolling back changes.
>
> /Failed to list certificates in /etc/ipa/nssdb: Command
> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
> status 255/

This is unrelated to the enrollment problem.

rob

>
> Disabling client Kerberos and LDAP configurations
>
> Gady Notrica
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica
> Sent: April 20, 2016 2:12 PM
> To: Rob Crittenden; Martin Basti; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] ipa-client-install errors
>
> Any specific command in particular to remove that keytab?
>
> Since these don't work
>
> [root at cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
> Kerberos context initialization failed
>
> [root at prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k
> /etc/krb5.keytab Kerberos context initialization failed
>
> [root at cprddb1 /]#
>
> Gady
>
> -----Original Message-----
>
> From: Rob Crittenden [mailto:rcritten at redhat.com]
>
> Sent: April 20, 2016 1:59 PM
>
> To: Martin Basti; Gady Notrica; freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>
>
> Subject: Re: [Freeipa-users] ipa-client-install errors
>
> Martin Basti wrote:
>
>  >
>
>  >
>
>  > On 20.04.2016 18:00, Gady Notrica wrote:
>
>  >>
>
>  >> Hello World,
>
>  >>
>
>  >> I am having these errors trying to install ipa-client-install. Every
>
>  >> other machine is fine and they IPA servers are functioning perfectly
>
>  >>
>
>  >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
>
>  >>
>
>  >> Kerberos authentication failed: kinit: Improper format of Kerberos
>
>  >> configuration file while initializing Kerberos 5 library
>
>  >>
>
>  >> Then I have "/Installation failed. Rolling back changes."/
>
>  >>
>
>  >> I have tried everything I know with no luck. Any idea on how to FIX
>
>  >> this? Below is the full log.
>
>  >>
>
>  >> -----------------------------------------------------------
>
>  >>
>
>  >> /Continue to configure the system with these values? [no]: yes/
>
>  >>
>
>  >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/
>
>  >>
>
>  >> /Skipping synchronizing time with NTP server./
>
>  >>
>
>  >> /User authorized to enroll computers: admin/
>
>  >>
>
>  >> /Password for admin at IPA.DOMAIN.COM:/ <mailto:admin at IPA.DOMAIN.COM:/>
>
>  >>
>
>  >> /Please make sure the following ports are opened in the firewall
>
>  >> settings:/
>
>  >>
>
>  >> /TCP: 80, 88, 389/
>
>  >>
>
>  >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/
>
>  >>
>
>  >> /Also note that following ports are necessary for ipa-client working
>
>  >> properly after enrollment:/
>
>  >>
>
>  >> /TCP: 464/
>
>  >>
>
>  >> /UDP: 464, 123 (if NTP enabled)/
>
>  >>
>
>  >> /Kerberos authentication failed: kinit: Improper format of Kerberos
>
>  >> configuration file while initializing Kerberos 5 library/
>
>  >>
>
>  >> //
>
>  >>
>
>  >> /Installation failed. Rolling back changes./
>
>  >>
>
>  >> /Failed to list certificates in /etc/ipa/nssdb: Command
>
>  >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
>
>  >> exit status 255/
>
>  >>
>
>  >> /Disabling client Kerberos and LDAP configurations/
>
>  >>
>
>  >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
>
>  >> /etc/sssd/sssd.conf.deleted/
>
>  >>
>
>  >> /Restoring client configuration files/
>
>  >>
>
>  >> /nscd daemon is not installed, skip configuration/
>
>  >>
>
>  >> /nslcd daemon is not installed, skip configuration/
>
>  >>
>
>  >> /Client uninstall complete./
>
>  >>
>
>  >> /---------------------------------------------------------------/
>
>  >>
>
>  >> Gady
>
>  >>
>
>  >>
>
>  >>
>
>  > Hello,
>
>  >
>
>  > IMO you have an old invalid keytab on that machine. Can you manually
>
>  > remove it and try to reinstall client? (Of course only if you are sure
>
>  > that keytab there is not needed)
>
>  >
>
>  > The keytab should be located here /etc/krb5.keytab
>
> That or /etc/krb5.conf is messed up in some way.
>
> rob
>
> --
>
> Manage your subscription for the Freeipa-users mailing list:
>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list