<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Lucida Sans";
panose-1:2 11 6 2 3 5 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;
mso-fareast-language:EN-US;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-CA" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Thank you Martin, I have tried many different ways. I can’t seem to be able to remove anything in the file.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="line-height:125%"><span style="font-size:9.0pt;line-height:125%;font-family:"Lucida Sans","sans-serif";color:navy;mso-fareast-language:EN-CA">Gady</span><span style="color:#1F497D;mso-fareast-language:EN-CA"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext;mso-fareast-language:EN-CA">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext;mso-fareast-language:EN-CA">
Martin Basti [mailto:mbasti@redhat.com] <br>
<b>Sent:</b> April 20, 2016 12:50 PM<br>
<b>To:</b> Gady Notrica; freeipa-users@redhat.com<br>
<b>Subject:</b> Re: [Freeipa-users] ipa-client-install errors<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 20.04.2016 18:00, Gady Notrica wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D">Hello World,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:red">Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:red">Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:red"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Then I have “</span><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D">Installation failed. Rolling back changes.”</span></i><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">I have tried everything I know with no luck. Any idea on how to FIX this? Below is the full log.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">-----------------------------------------------------------</span><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D">Continue to configure the system with these values? [no]: yes</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:red">Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D">Skipping synchronizing time with NTP server.</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D">User authorized to enroll computers: admin</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D">Password for
<a href="mailto:admin@IPA.DOMAIN.COM">admin@IPA.DOMAIN.COM</a>:</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D">Please make sure the following ports are opened in the firewall settings:</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D"> TCP: 80, 88, 389</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D"> UDP: 88 (at least one of TCP/UDP ports 88 has to be open)</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D">Also note that following ports are necessary for ipa-client working properly after enrollment:</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D"> TCP: 464</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D"> UDP: 464, 123 (if NTP enabled)</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:red">Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D"> </span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D">Installation failed. Rolling back changes.</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D">Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D">Disabling client Kerberos and LDAP configurations</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D">Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D">Restoring client configuration files</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D">nscd daemon is not installed, skip configuration</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D">nslcd daemon is not installed, skip configuration</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D">Client uninstall complete.</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="color:#1F497D">---------------------------------------------------------------</span></i><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Gady</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-CA"><br>
<br>
<o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-CA">Hello,<br>
<br>
IMO you have an old invalid keytab on that machine. Can you manually remove it and try to reinstall client? (Of course only if you are sure that keytab there is not needed)<br>
<br>
The keytab should be located here </span><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:green;mso-fareast-language:EN-CA">/etc/krb5.keytab<br>
</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-CA"><br>
Martin<o:p></o:p></span></p>
</div>
</body>
</html>