[Freeipa-users] increase the number of attempts to create /etc/krb5.keytab
Ask Stack
askstack at yahoo.com
Tue May 24 18:45:45 UTC 2016
Thank you.
On Tuesday, May 24, 2016 9:56 AM, Rob Crittenden <rcritten at redhat.com> wrote:
Ask Stack wrote:
> Sorry for asking the dumb question again. Where are the 389-ds logs? I
> can't find them in /var/log/ .
/var/log/dirsrv/slapd-REALM
What you'll want to look for is the BIND from the client and all results
for that connection. The errors log tends to just log critical problems
so it may not have much.
rob
>
>
> On Monday, May 23, 2016 5:10 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>
>
> Ask Stack wrote:
> > Rob
> > Thanks for the reply.
> > I didn't find anything obvious in /var/log/dirsrv/slapd-/access and
> > errors and /var/log/krb5kdc.log
> > Do you know which service is responsible for providing
> > "/etc/krb5.keytab" to the client?
>
> It uses an LDAP extended operation so 389-ds. Any errors would be in the
> KDC log or, more likely, in the 389-ds logs.
>
> rob
>
>
> >
> > On Monday, May 23, 2016 2:57 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
> >
> >
> > Ask Stack wrote:
> >
> > > My company's ipa-client-install fail very often. Debug logs show the
> > > process always failed at getting the /etc/krb5.keytab .
> > > Is there a way to modify the script to increase number of attempts to
> > > create /etc/krb5.keytab ?
> > >
> > > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to
> obtain
> > > host TGT (defaults to 5)." But it comes after setting up the
> > > "/etc/krb5.keytab" file.
> > > Thanks.
> > >
> > > server
> > > ipa-server-3.0.0-47.el6_7.1.x86_64
> > >
> > > cleint
> > > ipa-client-3.0.0-47.el6_7.2.x86_64
> > > ipa-client-3.0.0-50.el6.1.x86_64
> > >
> > >
> > > #SUCCESSFUL ATTEMPT
> > >
> > > </member>\n
> > > </struct></value>\n
> > > </data></array></value>\n
> > > </param>\n
> > > </params>\n
> > > </methodResponse>\n
> > >
> > > Keytab successfully retrieved and stored in: /etc/krb5.keytab
> > > Certificate subject base is: O=TEST.COM
> > >
> > > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM
> > > 2016-05-23T14:40:49Z DEBUG args=kdestroy
> > > 2016-05-23T14:40:49Z DEBUG stdout=
> > > 2016-05-23T14:40:49Z DEBUG stderr=
> > >
> > >
> > >
> > > #FAILED ATTEMPT
> > >
> > > </member>\n
> > > </struct></value>\n
> > > </data></array></value>\n
> > > </param>\n
> > > </params>\n
> > > </methodResponse>\n
> > >
> > > ipa-getkeytab: ../../../libraries/libldap/extended.c:177:
> > > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed.
> > > Certificate subject base is: O=TEST.COM
> > >
> > > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM
> > > 2016-05-23T14:37:08Z DEBUG args=kdestroy
> > > 2016-05-23T14:37:08Z DEBUG stdout=
> > > 2016-05-23T14:37:08Z DEBUG stderr=
> >
> >
> > There is no retry capability and in some cases would be impossible to
> > add (the one-time password case). Can you check /var/log/krb5kdc on the
> > IPA master it connected to, and the 389-ds access and errors logs as
> > well. Perhaps one of those will have more information on why things
> failed.
> >
> > rob
> >
> >
> >
> >
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160524/2a18c673/attachment.htm>
More information about the Freeipa-users
mailing list