[Freeipa-users] ipa-client-install errors

Wed Apr 20 20:04:01 UTC 2016

Ok, Gady sent the complete file out-of-band and the temporary krb5.conf 
the client installer creates looks ok. It does include files from 
/var/lib/sss/pubconf/krb5.include.d/. Can you see if there are any files 
in there and if so, what the contents are?

BTW, what distro and release of ipa-client is this?

thanks

rob

Rob Crittenden wrote:
> Gady Notrica wrote:
>> Please find below the kr5.conf. Still has with original content.
>>
>> [root at prddb1]# ipa-client-install
>>
>> Discovery was successful!
>>
>> ...
>>
>> Continue to configure the system with these values? [no]: yes
>>
>> ....
>>
>> Kerberos authentication failed: kinit: Improper format of Kerberos
>> configuration file while initializing Kerberos 5 library
>>
>> Installation failed. Rolling back changes.
>>
>> Failed to list certificates in /etc/ipa/nssdb: Command
>> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
>> status 255
>>
>> Disabling client Kerberos and LDAP configurations
>>
>> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
>> /etc/sssd/sssd.conf.deleted
>>
>> ....
>>
>> Client uninstall complete.
>>
>> [root at prddb1]# cat /etc/krb5.conf
>>
>> [logging]
>>
>> default = FILE:/var/log/krb5libs.log
>>
>> kdc = FILE:/var/log/krb5kdc.log
>>
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>>
>> dns_lookup_realm = false
>>
>> ticket_lifetime = 24h
>>
>> renew_lifetime = 7d
>>
>> forwardable = true
>>
>> rdns = false
>>
>> # default_realm = EXAMPLE.COM
>>
>> default_ccache_name = KEYRING:persistent:%{uid}
>>
>> [realms]
>>
>> # EXAMPLE.COM = {
>>
>> #  kdc = kerberos.example.com
>>
>> #  admin_server = kerberos.example.com
>>
>> # }
>>
>> [domain_realm]
>>
>> # .example.com = EXAMPLE.COM
>>
>> # example.com = EXAMPLE.COM
>>
>> [root at prddb1]#
>
> Ok, I agree with the others then, we need to see the full
> ipaclient-install.log. This file looks fine which means the temporary
> one that is configured must be bad in some way. The log will tell how.
>
> rob
>
>>
>> Gady
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>> Sent: April 20, 2016 3:14 PM
>> To: Gady Notrica; Martin Basti; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] ipa-client-install errors
>>
>> Gady Notrica wrote:
>>
>>  > Thank you guys for your help.
>>
>>  >
>>
>>  > Still can't enroll the client. Any suggestion on the errors below?
>>
>>  >
>>
>>  > /Kerberos authentication failed: kinit: Improper format of Kerberos
>>
>>  > configuration file while initializing Kerberos 5 library/
>>
>> What does /etc/krb5.conf look like?
>>
>>  > Installation failed. Rolling back changes.
>>
>>  >
>>
>>  > /Failed to list certificates in /etc/ipa/nssdb: Command
>>
>>  > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
>>
>>  > exit status 255/
>>
>> This is unrelated to the enrollment problem.
>>
>> rob
>>
>>  >
>>
>>  > Disabling client Kerberos and LDAP configurations
>>
>>  >
>>
>>  > Gady Notrica
>>
>>  >
>>
>>  > -----Original Message-----
>>
>>  > From: freeipa-users-bounces at redhat.com
>> <mailto:freeipa-users-bounces at redhat.com>
>>
>>  > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica
>>
>>  > Sent: April 20, 2016 2:12 PM
>>
>>  > To: Rob Crittenden; Martin Basti; freeipa-users at redhat.com
>> <mailto:freeipa-users at redhat.com>
>>
>>  > Subject: Re: [Freeipa-users] ipa-client-install errors
>>
>>  >
>>
>>  > Any specific command in particular to remove that keytab?
>>
>>  >
>>
>>  > Since these don't work
>>
>>  >
>>
>>  > [root at cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
>>
>>  > Kerberos context initialization failed
>>
>>  >
>>
>>  > [root at prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k
>>
>>  > /etc/krb5.keytab Kerberos context initialization failed
>>
>>  >
>>
>>  > [root at cprddb1 /]#
>>
>>  >
>>
>>  > Gady
>>
>>  >
>>
>>  > -----Original Message-----
>>
>>  >
>>
>>  > From: Rob Crittenden [mailto:rcritten at redhat.com]
>>
>>  >
>>
>>  > Sent: April 20, 2016 1:59 PM
>>
>>  >
>>
>>  > To: Martin Basti; Gady Notrica; freeipa-users at redhat.com
>> <mailto:freeipa-users at redhat.com>
>>
>>  > <mailto:freeipa-users at redhat.com>
>>
>>  >
>>
>>  > Subject: Re: [Freeipa-users] ipa-client-install errors
>>
>>  >
>>
>>  > Martin Basti wrote:
>>
>>  >
>>
>>  >  >
>>
>>  >
>>
>>  >  >
>>
>>  >
>>
>>  >  > On 20.04.2016 18:00, Gady Notrica wrote:
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> Hello World,
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> I am having these errors trying to install ipa-client-install.
>>
>>  > Every
>>
>>  >
>>
>>  >  >> other machine is fine and they IPA servers are functioning
>>
>>  > perfectly
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> Kerberos authentication failed: kinit: Improper format of Kerberos
>>
>>  >
>>
>>  >  >> configuration file while initializing Kerberos 5 library
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> Then I have "/Installation failed. Rolling back changes."/
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> I have tried everything I know with no luck. Any idea on how to
>>
>>  > FIX
>>
>>  >
>>
>>  >  >> this? Below is the full log.
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> -----------------------------------------------------------
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /Continue to configure the system with these values? [no]: yes/
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /Skipping synchronizing time with NTP server./
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /User authorized to enroll computers: admin/
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /Password for admin at IPA.DOMAIN.COM:/
>> <mailto:admin at IPA.DOMAIN.COM:/>
>>
>>  > <mailto:admin at IPA.DOMAIN.COM:/>
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /Please make sure the following ports are opened in the firewall
>>
>>  >
>>
>>  >  >> settings:/
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /TCP: 80, 88, 389/
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /Also note that following ports are necessary for ipa-client
>>
>>  > working
>>
>>  >
>>
>>  >  >> properly after enrollment:/
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /TCP: 464/
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /UDP: 464, 123 (if NTP enabled)/
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /Kerberos authentication failed: kinit: Improper format of
>>
>>  > Kerberos
>>
>>  >
>>
>>  >  >> configuration file while initializing Kerberos 5 library/
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> //
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /Installation failed. Rolling back changes./
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /Failed to list certificates in /etc/ipa/nssdb: Command
>>
>>  >
>>
>>  >  >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
>>
>>  >
>>
>>  >  >> exit status 255/
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /Disabling client Kerberos and LDAP configurations/
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved
>>
>>  > to
>>
>>  >
>>
>>  >  >> /etc/sssd/sssd.conf.deleted/
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /Restoring client configuration files/
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /nscd daemon is not installed, skip configuration/
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /nslcd daemon is not installed, skip configuration/
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /Client uninstall complete./
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> /---------------------------------------------------------------/
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >> Gady
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  >>
>>
>>  >
>>
>>  >  > Hello,
>>
>>  >
>>
>>  >  >
>>
>>  >
>>
>>  >  > IMO you have an old invalid keytab on that machine. Can you
>>
>>  > manually
>>
>>  >
>>
>>  >  > remove it and try to reinstall client? (Of course only if you are
>>
>>  > sure
>>
>>  >
>>
>>  >  > that keytab there is not needed)
>>
>>  >
>>
>>  >  >
>>
>>  >
>>
>>  >  > The keytab should be located here /etc/krb5.keytab
>>
>>  >
>>
>>  > That or /etc/krb5.conf is messed up in some way.
>>
>>  >
>>
>>  > rob
>>
>>  >
>>
>>  > --
>>
>>  >
>>
>>  > Manage your subscription for the Freeipa-users mailing list:
>>
>>  >
>>
>>  > https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>  >
>>
>>  > Go to http://freeipa.org for more info on the project
>>
>>  >
>>
>