[Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library
Martin Babinsky
mbabinsk at redhat.com
Tue Jan 3 08:16:46 UTC 2017
On 01/02/2017 11:22 PM, Alan Latteri wrote:
> I upgraded our FreeIPA server from Cent7.2 to 7.3 which also upgraded freeipa to 4.4. On some clients they failed to re-authenticate post upgrade. I then did an
> ipa-client-install —uninstall , and then tried re-joining to IPA server with
> ipa-client-install --mkhomedir --force-ntpd --force-join.
>
> Now I am getting the below error, and I have no idea how to recover. Firewall is disabled.
>
> Thanks,
> Alan
>
> User authorized to enroll computers: admin
> Password for admin at XXX.LOCAL:
> Please make sure the following ports are opened in the firewall settings:
> TCP: 80, 88, 389
> UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
> Also note that following ports are necessary for ipa-client working properly after enrollment:
> TCP: 464
> UDP: 464, 123 (if NTP enabled)
> Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library
>
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
> [root at troll ~]# systemctl status firewalld
> ● firewalld.service - firewalld - dynamic firewall daemon
> Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
> Active: inactive (dead)
>
> Installed Packages
> ipa-client.x86_64 4.4.0-14.el7.centos @updates
> ipa-client-common.noarch 4.4.0-14.el7.centos @updates
> ipa-common.noarch 4.4.0-14.el7.centos @updates
>
Hi Alan,
it would be nice if you could post the client install log
(/var/log/ipaclient-install.log). It is hard to tell what happens
without seeing it.
--
Martin^3 Babinsky
More information about the Freeipa-users
mailing list