Please find attached the install log Gady
-----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky Sent: April 20, 2016 1:04 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors On 04/20/2016 06:00 PM, Gady Notrica wrote: > Hello World, > > I am having these errors trying to install ipa-client-install. Every > other machine is fine and they IPA servers are functioning perfectly > > Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 > > Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library > > Then I have "/Installation failed. Rolling back changes."/ > > I have tried everything I know with no luck. Any idea on how to FIX > this? Below is the full log. > > ----------------------------------------------------------- > > /Continue to configure the system with these values? [no]: yes/ > > /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ > > /Skipping synchronizing time with NTP server./ > > /User authorized to enroll computers: admin/ > > /Password for ad...@ipa.domain.com:/ > > /Please make sure the following ports are opened in the firewall > settings:/ > > / TCP: 80, 88, 389/ > > / UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ > > /Also note that following ports are necessary for ipa-client working > properly after enrollment:/ > > / TCP: 464/ > > / UDP: 464, 123 (if NTP enabled)/ > > /Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library/ > > // > > /Installation failed. Rolling back changes./ > > /Failed to list certificates in /etc/ipa/nssdb: Command > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > exit status 255/ > > /Disabling client Kerberos and LDAP configurations/ > > /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to > /etc/sssd/sssd.conf.deleted/ > > /Restoring client configuration files/ > > /nscd daemon is not installed, skip configuration/ > > /nslcd daemon is not installed, skip configuration/ > > /Client uninstall complete./ > > /---------------------------------------------------------------/ > > Gady > > > We would need to see the whole log, it should be located in '/var/log/ipaclient-install.log' -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
# cat /var/log/ipaclient-install.log 2016-04-20T16:04:34Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'ip_addresses': [], 'configure_firefox': False, 'primary': False, 'realm_name': None, 'force_ntpd': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': False, 'on_master': False, 'no_nisdomain': False, 'nisdomain': None, 'ca_cert_file': None, 'principal': None, 'keytab': None, 'hostname': 'cd-s-prd-db1.ipa.domain.com', 'request_cert': False, 'trust_sshfp': False, 'no_ac': False, 'unattended': None, 'all_ip_addresses': False, 'location': None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates': True, 'conf_sudo': True, 'conf_ssh': True, 'force_join': False, 'firefox_dir': None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': True, 'mkhomedir': True, 'uninstall': False} 2016-04-20T16:04:34Z DEBUG missing options might be asked for interactively later 2016-04-20T16:04:34Z DEBUG IPA version 4.2.0-15.0.1.el7.centos.6.1 2016-04-20T16:04:34Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2016-04-20T16:04:34Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2016-04-20T16:04:34Z DEBUG [IPA Discovery] 2016-04-20T16:04:34Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=cd-s-prd-db1.ipa.domain.com 2016-04-20T16:04:34Z DEBUG Start searching for LDAP SRV record in "ipa.domain.com" (domain of the hostname) and its sub-domains 2016-04-20T16:04:34Z DEBUG Search DNS for SRV record of _ldap._tcp.ipa.domain.com 2016-04-20T16:04:34Z DEBUG DNS record found: 0 100 389 idmipa1.ipa.domain.com. 2016-04-20T16:04:34Z DEBUG DNS record found: 0 100 389 idmipa2.ipa.domain.com. 2016-04-20T16:04:34Z DEBUG [Kerberos realm search] 2016-04-20T16:04:34Z DEBUG Search DNS for TXT record of _kerberos.ipa.domain.com 2016-04-20T16:04:34Z DEBUG DNS record found: "IPA.domain.com" 2016-04-20T16:04:34Z DEBUG Search DNS for SRV record of _kerberos._udp.ipa.domain.com 2016-04-20T16:04:34Z DEBUG DNS record found: 0 100 88 idmipa2.ipa.domain.com. 2016-04-20T16:04:34Z DEBUG DNS record found: 0 100 88 idmipa1.ipa.domain.com. 2016-04-20T16:04:34Z DEBUG [LDAP server check] 2016-04-20T16:04:34Z DEBUG Verifying that idmipa1.ipa.domain.com (realm IPA.domain.com) is an IPA server 2016-04-20T16:04:34Z DEBUG Init LDAP connection to: idmipa1.ipa.domain.com 2016-04-20T16:04:35Z DEBUG Search LDAP server for IPA base DN 2016-04-20T16:04:35Z DEBUG Check if naming context 'dc=ipa,dc=domain,dc=com' is for IPA 2016-04-20T16:04:35Z DEBUG Naming context 'dc=ipa,dc=domain,dc=com' is a valid IPA context 2016-04-20T16:04:35Z DEBUG Search for (objectClass=krbRealmContainer) in dc=ipa,dc=domain,dc=com (sub) 2016-04-20T16:04:35Z DEBUG Found: cn=IPA.domain.com,cn=kerberos,dc=ipa,dc=domain,dc=com 2016-04-20T16:04:35Z DEBUG Discovery result: Success; server=idmipa1.ipa.domain.com, domain=ipa.domain.com, kdc=idmipa2.ipa.domain.com,idmipa1.ipa.domain.com, basedn=dc=ipa,dc=domain,dc=com 2016-04-20T16:04:35Z DEBUG Validated servers: idmipa1.ipa.domain.com 2016-04-20T16:04:35Z DEBUG will use discovered domain: ipa.domain.com 2016-04-20T16:04:35Z DEBUG Start searching for LDAP SRV record in "ipa.domain.com" (Validating DNS Discovery) and its sub-domains 2016-04-20T16:04:35Z DEBUG Search DNS for SRV record of _ldap._tcp.ipa.domain.com 2016-04-20T16:04:35Z DEBUG DNS record found: 0 100 389 idmipa2.ipa.domain.com. 2016-04-20T16:04:35Z DEBUG DNS record found: 0 100 389 idmipa1.ipa.domain.com. 2016-04-20T16:04:35Z DEBUG DNS validated, enabling discovery 2016-04-20T16:04:35Z DEBUG will use discovered server: idmipa1.ipa.domain.com 2016-04-20T16:04:35Z INFO Discovery was successful! 2016-04-20T16:04:35Z DEBUG will use discovered realm: IPA.domain.com 2016-04-20T16:04:35Z DEBUG will use discovered basedn: dc=ipa,dc=domain,dc=com 2016-04-20T16:04:35Z INFO Client hostname: cd-s-prd-db1.ipa.domain.com 2016-04-20T16:04:35Z DEBUG Hostname source: Provided as option 2016-04-20T16:04:35Z INFO Realm: IPA.domain.com 2016-04-20T16:04:35Z DEBUG Realm source: Discovered from LDAP DNS records in idmipa1.ipa.domain.com 2016-04-20T16:04:35Z INFO DNS Domain: ipa.domain.com 2016-04-20T16:04:35Z DEBUG DNS Domain source: Discovered LDAP SRV records from ipa.domain.com (domain of the hostname) 2016-04-20T16:04:35Z INFO IPA Server: idmipa1.ipa.domain.com 2016-04-20T16:04:35Z DEBUG IPA Server source: Discovered from LDAP DNS records in idmipa1.ipa.domain.com 2016-04-20T16:04:35Z INFO BaseDN: dc=ipa,dc=domain,dc=com 2016-04-20T16:04:35Z DEBUG BaseDN source: From IPA server ldap://idmipa1.ipa.domain.com:389 2016-04-20T16:04:40Z DEBUG Starting external process 2016-04-20T16:04:40Z DEBUG args='/usr/sbin/ipa-rmkeytab' '-k' '/etc/krb5.keytab' '-r' 'IPA.domain.com' 2016-04-20T16:04:40Z DEBUG Process finished, return code=1 2016-04-20T16:04:40Z DEBUG stdout= 2016-04-20T16:04:40Z DEBUG stderr=Kerberos context initialization failed 2016-04-20T16:04:40Z ERROR Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 2016-04-20T16:04:40Z DEBUG Starting external process 2016-04-20T16:04:40Z DEBUG args='/bin/hostname' 'cd-s-prd-db1.ipa.domain.com' 2016-04-20T16:04:40Z DEBUG Process finished, return code=0 2016-04-20T16:04:40Z DEBUG stdout= 2016-04-20T16:04:40Z DEBUG stderr= 2016-04-20T16:04:40Z DEBUG Backing up system configuration file '/etc/hostname' 2016-04-20T16:04:40Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2016-04-20T16:04:40Z DEBUG Starting external process 2016-04-20T16:04:40Z DEBUG args='/usr/sbin/selinuxenabled' 2016-04-20T16:04:40Z DEBUG Process finished, return code=0 2016-04-20T16:04:40Z DEBUG stdout= 2016-04-20T16:04:40Z DEBUG stderr= 2016-04-20T16:04:40Z DEBUG Starting external process 2016-04-20T16:04:40Z DEBUG args='/sbin/restorecon' '/etc/hostname' 2016-04-20T16:04:40Z DEBUG Process finished, return code=0 2016-04-20T16:04:40Z DEBUG stdout= 2016-04-20T16:04:40Z DEBUG stderr= 2016-04-20T16:04:40Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2016-04-20T16:04:40Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2016-04-20T16:04:40Z INFO Skipping synchronizing time with NTP server. 2016-04-20T16:04:58Z DEBUG importing all plugin modules in ipalib.plugins... 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.aci 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.automember 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.automount 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.baseldap 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.baseuser 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.batch 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.caacl 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.cert 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.certprofile 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.config 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.delegation 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.dns 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.domainlevel 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.group 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.hbacrule 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.hbacsvc 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.hbacsvcgroup 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.hbactest 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.host 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.hostgroup 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.idrange 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.idviews 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.internal 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.kerberos 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.krbtpolicy 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.migration 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.misc 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.netgroup 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.otpconfig 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.otptoken 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.otptoken_yubikey 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.passwd 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.permission 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.ping 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.pkinit 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.privilege 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.pwpolicy 2016-04-20T16:04:58Z DEBUG Starting external process 2016-04-20T16:04:58Z DEBUG args='klist' '-V' 2016-04-20T16:04:58Z DEBUG Process finished, return code=0 2016-04-20T16:04:58Z DEBUG stdout=Kerberos 5 version 1.13.2 2016-04-20T16:04:58Z DEBUG stderr= 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.radiusproxy 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.realmdomains 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.role 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.rpcclient 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.selfservice 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.selinuxusermap 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.server 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.service 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.servicedelegation 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.session 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.stageuser 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.sudocmd 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.sudocmdgroup 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.sudorule 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.topology 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.trust 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.user 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.vault 2016-04-20T16:04:58Z DEBUG importing plugin module ipalib.plugins.virtual
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project