[Freeipa-users] ipa-client-install errors

Gady Notrica gnotrica at candeal.com
Wed Apr 20 19:40:04 UTC 2016 

Please find below the kr5.conf. Still has with original content.



[root at prddb1]# ipa-client-install

Discovery was successful!

...

Continue to configure the system with these values? [no]: yes

....

Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library



Installation failed. Rolling back changes.

Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255

Disabling client Kerberos and LDAP configurations

Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted

....

Client uninstall complete.



[root at prddb1]# cat /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log



[libdefaults]

dns_lookup_realm = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false

# default_realm = EXAMPLE.COM

default_ccache_name = KEYRING:persistent:%{uid}



[realms]

# EXAMPLE.COM = {

#  kdc = kerberos.example.com

#  admin_server = kerberos.example.com

# }



[domain_realm]

# .example.com = EXAMPLE.COM

# example.com = EXAMPLE.COM

[root at prddb1]#



Gady



-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: April 20, 2016 3:14 PM
To: Gady Notrica; Martin Basti; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors



Gady Notrica wrote:

> Thank you guys for your help.

>

> Still can't enroll the client. Any suggestion on the errors below?

>

> /Kerberos authentication failed: kinit: Improper format of Kerberos

> configuration file while initializing Kerberos 5 library/



What does /etc/krb5.conf look like?



> Installation failed. Rolling back changes.

>

> /Failed to list certificates in /etc/ipa/nssdb: Command

> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

> exit status 255/



This is unrelated to the enrollment problem.



rob



>

> Disabling client Kerberos and LDAP configurations

>

> Gady Notrica

>

> -----Original Message-----

> From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com>

> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica

> Sent: April 20, 2016 2:12 PM

> To: Rob Crittenden; Martin Basti; freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>

> Subject: Re: [Freeipa-users] ipa-client-install errors

>

> Any specific command in particular to remove that keytab?

>

> Since these don't work

>

> [root at cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab

> Kerberos context initialization failed

>

> [root at prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k

> /etc/krb5.keytab Kerberos context initialization failed

>

> [root at cprddb1 /]#

>

> Gady

>

> -----Original Message-----

>

> From: Rob Crittenden [mailto:rcritten at redhat.com]

>

> Sent: April 20, 2016 1:59 PM

>

> To: Martin Basti; Gady Notrica; freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>

> <mailto:freeipa-users at redhat.com>

>

> Subject: Re: [Freeipa-users] ipa-client-install errors

>

> Martin Basti wrote:

>

>  >

>

>  >

>

>  > On 20.04.2016 18:00, Gady Notrica wrote:

>

>  >>

>

>  >> Hello World,

>

>  >>

>

>  >> I am having these errors trying to install ipa-client-install.

> Every

>

>  >> other machine is fine and they IPA servers are functioning

> perfectly

>

>  >>

>

>  >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

>

>  >>

>

>  >> Kerberos authentication failed: kinit: Improper format of Kerberos

>

>  >> configuration file while initializing Kerberos 5 library

>

>  >>

>

>  >> Then I have "/Installation failed. Rolling back changes."/

>

>  >>

>

>  >> I have tried everything I know with no luck. Any idea on how to

> FIX

>

>  >> this? Below is the full log.

>

>  >>

>

>  >> -----------------------------------------------------------

>

>  >>

>

>  >> /Continue to configure the system with these values? [no]: yes/

>

>  >>

>

>  >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

>

>  >>

>

>  >> /Skipping synchronizing time with NTP server./

>

>  >>

>

>  >> /User authorized to enroll computers: admin/

>

>  >>

>

>  >> /Password for admin at IPA.DOMAIN.COM:/<mailto:admin at IPA.DOMAIN.COM:/>

> <mailto:admin at IPA.DOMAIN.COM:/>

>

>  >>

>

>  >> /Please make sure the following ports are opened in the firewall

>

>  >> settings:/

>

>  >>

>

>  >> /TCP: 80, 88, 389/

>

>  >>

>

>  >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

>

>  >>

>

>  >> /Also note that following ports are necessary for ipa-client

> working

>

>  >> properly after enrollment:/

>

>  >>

>

>  >> /TCP: 464/

>

>  >>

>

>  >> /UDP: 464, 123 (if NTP enabled)/

>

>  >>

>

>  >> /Kerberos authentication failed: kinit: Improper format of

> Kerberos

>

>  >> configuration file while initializing Kerberos 5 library/

>

>  >>

>

>  >> //

>

>  >>

>

>  >> /Installation failed. Rolling back changes./

>

>  >>

>

>  >> /Failed to list certificates in /etc/ipa/nssdb: Command

>

>  >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

>

>  >> exit status 255/

>

>  >>

>

>  >> /Disabling client Kerberos and LDAP configurations/

>

>  >>

>

>  >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved

> to

>

>  >> /etc/sssd/sssd.conf.deleted/

>

>  >>

>

>  >> /Restoring client configuration files/

>

>  >>

>

>  >> /nscd daemon is not installed, skip configuration/

>

>  >>

>

>  >> /nslcd daemon is not installed, skip configuration/

>

>  >>

>

>  >> /Client uninstall complete./

>

>  >>

>

>  >> /---------------------------------------------------------------/

>

>  >>

>

>  >> Gady

>

>  >>

>

>  >>

>

>  >>

>

>  > Hello,

>

>  >

>

>  > IMO you have an old invalid keytab on that machine. Can you

> manually

>

>  > remove it and try to reinstall client? (Of course only if you are

> sure

>

>  > that keytab there is not needed)

>

>  >

>

>  > The keytab should be located here /etc/krb5.keytab

>

> That or /etc/krb5.conf is messed up in some way.

>

> rob

>

> --

>

> Manage your subscription for the Freeipa-users mailing list:

>

> https://www.redhat.com/mailman/listinfo/freeipa-users

>

> Go to http://freeipa.org for more info on the project

>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160420/ada7c2f0/attachment.htm>

More information about the Freeipa-users mailing list