<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:14px"><div id="yui_3_16_0_ym19_1_1461358411963_2312" dir="ltr"><span>Martin</span></div><div id="yui_3_16_0_ym19_1_1461358411963_2312" dir="ltr"><span>Thanks for the reply.</span></div><div id="yui_3_16_0_ym19_1_1461358411963_2312" dir="ltr"><span><br></span></div><div id="yui_3_16_0_ym19_1_1461358411963_2312" dir="ltr">tail -f /var/log/krb5kdc.log | grep client1.example.com  had nothing during a failed ipa client install and plenty activities during a good install. </div><div id="yui_3_16_0_ym19_1_1461358411963_2312" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1461358411963_2312" dir="ltr">And sorry, I missed a big piece of information. Debug log showed</div><div id="yui_3_16_0_ym19_1_1461358411963_2312" dir="ltr"><span id="yui_3_16_0_ym19_1_1461358411963_2638"> ipa-getkeytab: ../../../libraries/libldap/extended.c:177: ldap_parse_extended_result: Assertion `res != ((void *)0)' failed.</span></div><div id="yui_3_16_0_ym19_1_1461358411963_2312" dir="ltr"><span><br></span></div><div id="yui_3_16_0_ym19_1_1461358411963_2312" dir="ltr"><span id="yui_3_16_0_ym19_1_1461358411963_2851">Basically /etc/krb5.keytab didn't get created. </span></div><div id="yui_3_16_0_ym19_1_1461358411963_2312" dir="ltr"><span><br></span></div><div id="yui_3_16_0_ym19_1_1461358411963_2312" dir="ltr"><span id="yui_3_16_0_ym19_1_1461358411963_3457">I always wonder why we needed "</span>-ca-cert-file=/etc/ipa/ca.crt", so I ran the ipa-client-install without it. I tested install twenty times and no failure. </div><div id="yui_3_16_0_ym19_1_1461358411963_2312" dir="ltr">ca.crt I provide and ipa-client-install downloaded are identical. </div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 14px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"><font size="2" face="Arial"> On Friday, April 22, 2016 3:09 AM, Martin Babinsky <mbabinsk@redhat.com> wrote:<br></font></div>  <br><br> <div class="y_msg_container">On 04/21/2016 11:14 PM, Ask Stack wrote:<br clear="none">> Half the time ipa-client-install will fail at getting the TGT.  Google<br clear="none">> showed posts like, Bug 845691 – ipa-client-install Failed to obtain host<br clear="none">> TGT <<a shape="rect" href="https://bugzilla.redhat.com/show_bug.cgi?id=845691" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=845691</a>>. I reduced<div class="yqt1499634550" id="yqtfd39476"><br clear="none">> _kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp'<br clear="none">> '_kerberos._udp' to one server entry only. But it didn't help to reduce<br clear="none">> the failure rate. Thanks for your help.<br clear="none">><br clear="none">><br clear="none">> cleint<br clear="none">> ipa-client-3.0.0-47.el6_7.2.x86_64<br clear="none">><br clear="none">> server<br clear="none">> ipa-server-3.0.0-47.el6_7.1.x86_64<br clear="none">><br clear="none">> ipa-client-install --hostname=client1.example.com<br clear="none">> --server=ipa-server.example.com --domain=example.com -N --mkhomedir<br clear="none">> --unattended -p <a shape="rect" ymailto="mailto:ipaadd@EXAMPLE.COM" href="mailto:ipaadd@EXAMPLE.COM">ipaadd@EXAMPLE.COM</a> -w 'password1'<br clear="none">> --ca-cert-file=/etc/ipa/ca.crt -d<br clear="none">> ...<br clear="none">> ...<br clear="none">> Enrolled in IPA realm EXAMPLE.COM<br clear="none">> args=kdestroy<br clear="none">> stdout=<br clear="none">> stderr=<br clear="none">> args=/usr/bin/kinit -k -t /etc/krb5.keytab<br clear="none">> host/<a shape="rect" ymailto="mailto:client1.example.com@EXAMPLE.COM" href="mailto:client1.example.com@EXAMPLE.COM">client1.example.com@EXAMPLE.COM</a><br clear="none">> stdout=<br clear="none">> stderr=kinit: Generic preauthentication failure while getting initial<br clear="none">> credentials<br clear="none">><br clear="none">> args=/usr/bin/kinit -k -t /etc/krb5.keytab<br clear="none">> host/<a shape="rect" ymailto="mailto:client1.example.com@EXAMPLE.COM" href="mailto:client1.example.com@EXAMPLE.COM">client1.example.com@EXAMPLE.COM</a><br clear="none">> stdout=<br clear="none">> stderr=kinit: Generic preauthentication failure while getting initial<br clear="none">> credentials<br clear="none">><br clear="none">> args=/usr/bin/kinit -k -t /etc/krb5.keytab<br clear="none">> host/<a shape="rect" ymailto="mailto:client1.example.com@EXAMPLE.COM" href="mailto:client1.example.com@EXAMPLE.COM">client1.example.com@EXAMPLE.COM</a><br clear="none">> stdout=<br clear="none">> stderr=kinit: Generic preauthentication failure while getting initial<br clear="none">> credentials<br clear="none">><br clear="none">> args=/usr/bin/kinit -k -t /etc/krb5.keytab<br clear="none">> host/<a shape="rect" ymailto="mailto:client1.example.com@EXAMPLE.COM" href="mailto:client1.example.com@EXAMPLE.COM">client1.example.com@EXAMPLE.COM</a><br clear="none">> stdout=<br clear="none">> stderr=kinit: Generic preauthentication failure while getting initial<br clear="none">> credentials<br clear="none">><br clear="none">> args=/usr/bin/kinit -k -t /etc/krb5.keytab<br clear="none">> host/<a shape="rect" ymailto="mailto:client1.example.com@EXAMPLE.COM" href="mailto:client1.example.com@EXAMPLE.COM">client1.example.com@EXAMPLE.COM</a><br clear="none">> stdout=<br clear="none">> stderr=kinit: Generic preauthentication failure while getting initial<br clear="none">> credentials<br clear="none">><br clear="none">> Failed to obtain host TGT.</div><br clear="none">><br clear="none">><br clear="none">><br clear="none">><br clear="none">><br clear="none">><br clear="none">Hello,<br clear="none"><br clear="none">can you please provide KDC log from the server you are enrolling <br clear="none">against? IIRC it should be in /var/log/krb5kdc.log<br clear="none"><br clear="none">-- <br clear="none">Martin^3 Babinsky<div class="yqt1499634550" id="yqtfd27201"><br clear="none"></div><br><br></div>  </div> </div>  </div></div></body></html>