[Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library
Alan Latteri
alan at instinctualsoftware.com
Wed Jan 4 01:33:39 UTC 2017
Further investigation.
On a clean install of CentOS 7.2 with IPA Client 4.4, /etc/krb5.conf.d/ is missing, and therefore initial setup will fail unless manual creation of /etc/krb5.conf.d/
Maybe the install script for the client can be updated to check for and create?
Thanks,
Alan
> On Jan 3, 2017, at 1:44 PM, Alan Latteri <alan at instinctualsoftware.com> wrote:
>
> Thanks Rob.
>
> /etc/krb5.conf.d/ was in fact missing from the client, which is still on CentOS 7.2 for reasons out of our control.
> Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have the /etc/krb5.conf.d/ directory, but are running fine. So maybe the 4.4 client requires that dir but is not making it on upgrade and the cause of the failure?
>
> Alan
>
>> On Jan 3, 2017, at 1:25 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>
>> Alan Latteri wrote:
>>> Log is attached.
>>
>> Look and see if /etc/krb5.conf.d/ and
>> /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check
>> for SELinux AVCs). I'm pretty sure this all runs as root so I doubt
>> filesystem perms are an issue but who knows.
>>
>> You can also brute force things using strace -f to find out exactly what
>> can't be read.
>>
>> rob
>>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list