[Freeipa-users] ipa-client-install errors
Rob Crittenden
rcritten at redhat.com
Wed Apr 20 19:52:24 UTC 2016
Gady Notrica wrote:
> Please find below the kr5.conf. Still has with original content.
>
> [root at prddb1]# ipa-client-install
>
> Discovery was successful!
>
> ...
>
> Continue to configure the system with these values? [no]: yes
>
> ....
>
> Kerberos authentication failed: kinit: Improper format of Kerberos
> configuration file while initializing Kerberos 5 library
>
> Installation failed. Rolling back changes.
>
> Failed to list certificates in /etc/ipa/nssdb: Command
> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
> status 255
>
> Disabling client Kerberos and LDAP configurations
>
> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
> /etc/sssd/sssd.conf.deleted
>
> ....
>
> Client uninstall complete.
>
> [root at prddb1]# cat /etc/krb5.conf
>
> [logging]
>
> default = FILE:/var/log/krb5libs.log
>
> kdc = FILE:/var/log/krb5kdc.log
>
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>
> dns_lookup_realm = false
>
> ticket_lifetime = 24h
>
> renew_lifetime = 7d
>
> forwardable = true
>
> rdns = false
>
> # default_realm = EXAMPLE.COM
>
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
>
> # EXAMPLE.COM = {
>
> # kdc = kerberos.example.com
>
> # admin_server = kerberos.example.com
>
> # }
>
> [domain_realm]
>
> # .example.com = EXAMPLE.COM
>
> # example.com = EXAMPLE.COM
>
> [root at prddb1]#
Ok, I agree with the others then, we need to see the full
ipaclient-install.log. This file looks fine which means the temporary
one that is configured must be bad in some way. The log will tell how.
rob
>
> Gady
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: April 20, 2016 3:14 PM
> To: Gady Notrica; Martin Basti; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] ipa-client-install errors
>
> Gady Notrica wrote:
>
> > Thank you guys for your help.
>
> >
>
> > Still can't enroll the client. Any suggestion on the errors below?
>
> >
>
> > /Kerberos authentication failed: kinit: Improper format of Kerberos
>
> > configuration file while initializing Kerberos 5 library/
>
> What does /etc/krb5.conf look like?
>
> > Installation failed. Rolling back changes.
>
> >
>
> > /Failed to list certificates in /etc/ipa/nssdb: Command
>
> > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
>
> > exit status 255/
>
> This is unrelated to the enrollment problem.
>
> rob
>
> >
>
> > Disabling client Kerberos and LDAP configurations
>
> >
>
> > Gady Notrica
>
> >
>
> > -----Original Message-----
>
> > From: freeipa-users-bounces at redhat.com
> <mailto:freeipa-users-bounces at redhat.com>
>
> > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica
>
> > Sent: April 20, 2016 2:12 PM
>
> > To: Rob Crittenden; Martin Basti; freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>
>
> > Subject: Re: [Freeipa-users] ipa-client-install errors
>
> >
>
> > Any specific command in particular to remove that keytab?
>
> >
>
> > Since these don't work
>
> >
>
> > [root at cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
>
> > Kerberos context initialization failed
>
> >
>
> > [root at prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k
>
> > /etc/krb5.keytab Kerberos context initialization failed
>
> >
>
> > [root at cprddb1 /]#
>
> >
>
> > Gady
>
> >
>
> > -----Original Message-----
>
> >
>
> > From: Rob Crittenden [mailto:rcritten at redhat.com]
>
> >
>
> > Sent: April 20, 2016 1:59 PM
>
> >
>
> > To: Martin Basti; Gady Notrica; freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>
>
> > <mailto:freeipa-users at redhat.com>
>
> >
>
> > Subject: Re: [Freeipa-users] ipa-client-install errors
>
> >
>
> > Martin Basti wrote:
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > > On 20.04.2016 18:00, Gady Notrica wrote:
>
> >
>
> > >>
>
> >
>
> > >> Hello World,
>
> >
>
> > >>
>
> >
>
> > >> I am having these errors trying to install ipa-client-install.
>
> > Every
>
> >
>
> > >> other machine is fine and they IPA servers are functioning
>
> > perfectly
>
> >
>
> > >>
>
> >
>
> > >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
>
> >
>
> > >>
>
> >
>
> > >> Kerberos authentication failed: kinit: Improper format of Kerberos
>
> >
>
> > >> configuration file while initializing Kerberos 5 library
>
> >
>
> > >>
>
> >
>
> > >> Then I have "/Installation failed. Rolling back changes."/
>
> >
>
> > >>
>
> >
>
> > >> I have tried everything I know with no luck. Any idea on how to
>
> > FIX
>
> >
>
> > >> this? Below is the full log.
>
> >
>
> > >>
>
> >
>
> > >> -----------------------------------------------------------
>
> >
>
> > >>
>
> >
>
> > >> /Continue to configure the system with these values? [no]: yes/
>
> >
>
> > >>
>
> >
>
> > >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/
>
> >
>
> > >>
>
> >
>
> > >> /Skipping synchronizing time with NTP server./
>
> >
>
> > >>
>
> >
>
> > >> /User authorized to enroll computers: admin/
>
> >
>
> > >>
>
> >
>
> > >> /Password for admin at IPA.DOMAIN.COM:/ <mailto:admin at IPA.DOMAIN.COM:/>
>
> > <mailto:admin at IPA.DOMAIN.COM:/>
>
> >
>
> > >>
>
> >
>
> > >> /Please make sure the following ports are opened in the firewall
>
> >
>
> > >> settings:/
>
> >
>
> > >>
>
> >
>
> > >> /TCP: 80, 88, 389/
>
> >
>
> > >>
>
> >
>
> > >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/
>
> >
>
> > >>
>
> >
>
> > >> /Also note that following ports are necessary for ipa-client
>
> > working
>
> >
>
> > >> properly after enrollment:/
>
> >
>
> > >>
>
> >
>
> > >> /TCP: 464/
>
> >
>
> > >>
>
> >
>
> > >> /UDP: 464, 123 (if NTP enabled)/
>
> >
>
> > >>
>
> >
>
> > >> /Kerberos authentication failed: kinit: Improper format of
>
> > Kerberos
>
> >
>
> > >> configuration file while initializing Kerberos 5 library/
>
> >
>
> > >>
>
> >
>
> > >> //
>
> >
>
> > >>
>
> >
>
> > >> /Installation failed. Rolling back changes./
>
> >
>
> > >>
>
> >
>
> > >> /Failed to list certificates in /etc/ipa/nssdb: Command
>
> >
>
> > >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
>
> >
>
> > >> exit status 255/
>
> >
>
> > >>
>
> >
>
> > >> /Disabling client Kerberos and LDAP configurations/
>
> >
>
> > >>
>
> >
>
> > >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved
>
> > to
>
> >
>
> > >> /etc/sssd/sssd.conf.deleted/
>
> >
>
> > >>
>
> >
>
> > >> /Restoring client configuration files/
>
> >
>
> > >>
>
> >
>
> > >> /nscd daemon is not installed, skip configuration/
>
> >
>
> > >>
>
> >
>
> > >> /nslcd daemon is not installed, skip configuration/
>
> >
>
> > >>
>
> >
>
> > >> /Client uninstall complete./
>
> >
>
> > >>
>
> >
>
> > >> /---------------------------------------------------------------/
>
> >
>
> > >>
>
> >
>
> > >> Gady
>
> >
>
> > >>
>
> >
>
> > >>
>
> >
>
> > >>
>
> >
>
> > > Hello,
>
> >
>
> > >
>
> >
>
> > > IMO you have an old invalid keytab on that machine. Can you
>
> > manually
>
> >
>
> > > remove it and try to reinstall client? (Of course only if you are
>
> > sure
>
> >
>
> > > that keytab there is not needed)
>
> >
>
> > >
>
> >
>
> > > The keytab should be located here /etc/krb5.keytab
>
> >
>
> > That or /etc/krb5.conf is messed up in some way.
>
> >
>
> > rob
>
> >
>
> > --
>
> >
>
> > Manage your subscription for the Freeipa-users mailing list:
>
> >
>
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> >
>
> > Go to http://freeipa.org for more info on the project
>
> >
>
More information about the Freeipa-users
mailing list