[Freeipa-users] Client enrolled but failed to obtain host TGT.

[Martin Babinsky]

On 04/21/2016 11:14 PM, Ask Stack wrote:
> Half the time ipa-client-install will fail at getting the TGT.  Google
> showed posts like, Bug 845691 – ipa-client-install Failed to obtain host
> TGT <https://bugzilla.redhat.com/show_bug.cgi?id=845691>. I reduced
> _kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp'
> '_kerberos._udp' to one server entry only. But it didn't help to reduce
> the failure rate. Thanks for your help.
>
>
> cleint
> ipa-client-3.0.0-47.el6_7.2.x86_64
>
> server
> ipa-server-3.0.0-47.el6_7.1.x86_64
>
> ipa-client-install --hostname=client1.example.com
> --server=ipa-server.example.com --domain=example.com -N --mkhomedir
> --unattended -p ipaadd at EXAMPLE.COM -w 'password1'
> --ca-cert-file=/etc/ipa/ca.crt -d
> ...
> ...
> Enrolled in IPA realm EXAMPLE.COM
> args=kdestroy
> stdout=
> stderr=
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example.com at EXAMPLE.COM
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example.com at EXAMPLE.COM
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example.com at EXAMPLE.COM
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example.com at EXAMPLE.COM
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example.com at EXAMPLE.COM
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> Failed to obtain host TGT.
>
>
>
>
>
>
Hello,

can you please provide KDC log from the server you are enrolling 
against? IIRC it should be in /var/log/krb5kdc.log

-- 
Martin^3 Babinsky