[Freeipa-users] increase the number of attempts to create /etc/krb5.keytab
Rob Crittenden
rcritten at redhat.com
Mon May 23 21:10:07 UTC 2016
Ask Stack wrote:
> Rob
> Thanks for the reply.
> I didn't find anything obvious in /var/log/dirsrv/slapd-/access and
> errors and /var/log/krb5kdc.log
> Do you know which service is responsible for providing
> "/etc/krb5.keytab" to the client?
It uses an LDAP extended operation so 389-ds. Any errors would be in the
KDC log or, more likely, in the 389-ds logs.
rob
>
> On Monday, May 23, 2016 2:57 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>
>
> Ask Stack wrote:
>
> > My company's ipa-client-install fail very often. Debug logs show the
> > process always failed at getting the /etc/krb5.keytab .
> > Is there a way to modify the script to increase number of attempts to
> > create /etc/krb5.keytab ?
> >
> > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to obtain
> > host TGT (defaults to 5)." But it comes after setting up the
> > "/etc/krb5.keytab" file.
> > Thanks.
> >
> > server
> > ipa-server-3.0.0-47.el6_7.1.x86_64
> >
> > cleint
> > ipa-client-3.0.0-47.el6_7.2.x86_64
> > ipa-client-3.0.0-50.el6.1.x86_64
> >
> >
> > #SUCCESSFUL ATTEMPT
> >
> > </member>\n
> > </struct></value>\n
> > </data></array></value>\n
> > </param>\n
> > </params>\n
> > </methodResponse>\n
> >
> > Keytab successfully retrieved and stored in: /etc/krb5.keytab
> > Certificate subject base is: O=TEST.COM
> >
> > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM
> > 2016-05-23T14:40:49Z DEBUG args=kdestroy
> > 2016-05-23T14:40:49Z DEBUG stdout=
> > 2016-05-23T14:40:49Z DEBUG stderr=
> >
> >
> >
> > #FAILED ATTEMPT
> >
> > </member>\n
> > </struct></value>\n
> > </data></array></value>\n
> > </param>\n
> > </params>\n
> > </methodResponse>\n
> >
> > ipa-getkeytab: ../../../libraries/libldap/extended.c:177:
> > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed.
> > Certificate subject base is: O=TEST.COM
> >
> > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM
> > 2016-05-23T14:37:08Z DEBUG args=kdestroy
> > 2016-05-23T14:37:08Z DEBUG stdout=
> > 2016-05-23T14:37:08Z DEBUG stderr=
>
>
> There is no retry capability and in some cases would be impossible to
> add (the one-time password case). Can you check /var/log/krb5kdc on the
> IPA master it connected to, and the 389-ds access and errors logs as
> well. Perhaps one of those will have more information on why things failed.
>
> rob
>
>
>
>
More information about the Freeipa-users
mailing list