My reply with the log output is pending moderator approval. -Chris
On 1/16/18 1:11 PM, Rob Crittenden wrote: > Robbie Harwood via FreeIPA-users wrote: >> Chris Moody via FreeIPA-users <freeipa-users@lists.fedorahosted.org> >> writes: >> >>> 2018-01-15T21:55:24Z INFO Configured /etc/krb5.conf for IPA realm >>> IPA.XYZ.COM >>> 2018-01-15T21:55:24Z DEBUG Starting external process >>> 2018-01-15T21:55:24Z DEBUG args=keyctl search @s user >>> ipa_session_cookie:host/sfca-do-1.xyz....@ipa.xyz.com >>> 2018-01-15T21:55:24Z DEBUG Process finished, return code=1 >>> 2018-01-15T21:55:24Z DEBUG stdout= >>> 2018-01-15T21:55:24Z DEBUG stderr=keyctl_search: Required key not available >> I'm not familiar with what IPA's trying to do here, but this looks like >> a problem? Can someone else comment? > This is perfectly normal. IPA stores the session cookie in the kernel > keyring. Given this is a new install there is no cookie to find. > >>> I have tried manually setting /etc/krb5.conf to the contents that get> >>> generated & display during the verbose client-install process (as seen >>> above), that manually spell out the KDC details, and am able to run a >>> 'kinit admin' just fine from the CLI on the client, so kerberos DOES >>> function from the client. It talks to the KDC beautifully and >>> authenticates just fine... so I'm not sure how the client-install >>> process is getting confused/lost when trying to find/contact the KDC. >> Someone else who knows more than me: how is the install different than a >> normal kinit? > I think we'd need to see the full ipaclient-install.log. > > rob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org