[Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library
Alan Latteri
alan at instinctualsoftware.com
Tue Jan 3 21:02:21 UTC 2017
Log is attached.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipaclient-install.log
Type: application/octet-stream
Size: 7487 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170103/48902c18/attachment.obj>
-------------- next part --------------
> On Jan 3, 2017, at 12:16 AM, Martin Babinsky <mbabinsk at redhat.com> wrote:
>
> On 01/02/2017 11:22 PM, Alan Latteri wrote:
>> I upgraded our FreeIPA server from Cent7.2 to 7.3 which also upgraded freeipa to 4.4. On some clients they failed to re-authenticate post upgrade. I then did an
>> ipa-client-install ?uninstall , and then tried re-joining to IPA server with
>> ipa-client-install --mkhomedir --force-ntpd --force-join.
>>
>> Now I am getting the below error, and I have no idea how to recover. Firewall is disabled.
>>
>> Thanks,
>> Alan
>>
>> User authorized to enroll computers: admin
>> Password for admin at XXX.LOCAL:
>> Please make sure the following ports are opened in the firewall settings:
>> TCP: 80, 88, 389
>> UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
>> Also note that following ports are necessary for ipa-client working properly after enrollment:
>> TCP: 464
>> UDP: 464, 123 (if NTP enabled)
>> Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library
>>
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>>
>>
>> [root at troll ~]# systemctl status firewalld
>> ? firewalld.service - firewalld - dynamic firewall daemon
>> Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
>> Active: inactive (dead)
>>
>> Installed Packages
>> ipa-client.x86_64 4.4.0-14.el7.centos @updates
>> ipa-client-common.noarch 4.4.0-14.el7.centos @updates
>> ipa-common.noarch 4.4.0-14.el7.centos @updates
>>
>
> Hi Alan,
>
> it would be nice if you could post the client install log (/var/log/ipaclient-install.log). It is hard to tell what happens without seeing it.
>
> --
> Martin^3 Babinsky
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list