[Freeipa-users] Client enrolled but failed to obtain host TGT.

Ask Stack askstack at yahoo.com
Fri Apr 22 21:15:26 UTC 2016 

MartinThanks for the reply.
tail -f /var/log/krb5kdc.log | grep client1.example.com  had nothing during a failed ipa client install and plenty activities during a good install. 
And sorry, I missed a big piece of information. Debug log showed ipa-getkeytab: ../../../libraries/libldap/extended.c:177: ldap_parse_extended_result: Assertion `res != ((void *)0)' failed.
Basically /etc/krb5.keytab didn't get created. 
I always wonder why we needed "-ca-cert-file=/etc/ipa/ca.crt", so I ran the ipa-client-install without it. I tested install twenty times and no failure. ca.crt I provide and ipa-client-install downloaded are identical.  

    On Friday, April 22, 2016 3:09 AM, Martin Babinsky <mbabinsk at redhat.com> wrote:
 

 On 04/21/2016 11:14 PM, Ask Stack wrote:
> Half the time ipa-client-install will fail at getting the TGT.  Google
> showed posts like, Bug 845691 – ipa-client-install Failed to obtain host
> TGT <https://bugzilla.redhat.com/show_bug.cgi?id=845691>. I reduced
> _kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp'
> '_kerberos._udp' to one server entry only. But it didn't help to reduce
> the failure rate. Thanks for your help.
>
>
> cleint
> ipa-client-3.0.0-47.el6_7.2.x86_64
>
> server
> ipa-server-3.0.0-47.el6_7.1.x86_64
>
> ipa-client-install --hostname=client1.example.com
> --server=ipa-server.example.com --domain=example.com -N --mkhomedir
> --unattended -p ipaadd at EXAMPLE.COM -w 'password1'
> --ca-cert-file=/etc/ipa/ca.crt -d
> ...
> ...
> Enrolled in IPA realm EXAMPLE.COM
> args=kdestroy
> stdout=
> stderr=
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example.com at EXAMPLE.COM
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example.com at EXAMPLE.COM
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example.com at EXAMPLE.COM
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example.com at EXAMPLE.COM
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example.com at EXAMPLE.COM
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> Failed to obtain host TGT.
>
>
>
>
>
>
Hello,

can you please provide KDC log from the server you are enrolling 
against? IIRC it should be in /var/log/krb5kdc.log

-- 
Martin^3 Babinsky


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160422/76430c28/attachment.htm>

More information about the Freeipa-users mailing list