Original file attached - no changes to the file Gady
-----Original Message----- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 3:52 PM To: Gady Notrica; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Gady Notrica wrote: > Please find below the kr5.conf. Still has with original content. > > [root@prddb1]# ipa-client-install > > Discovery was successful! > > ... > > Continue to configure the system with these values? [no]: yes > > .... > > Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library > > Installation failed. Rolling back changes. > > Failed to list certificates in /etc/ipa/nssdb: Command > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > exit status 255 > > Disabling client Kerberos and LDAP configurations > > Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to > /etc/sssd/sssd.conf.deleted > > .... > > Client uninstall complete. > > [root@prddb1]# cat /etc/krb5.conf > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > > dns_lookup_realm = false > > ticket_lifetime = 24h > > renew_lifetime = 7d > > forwardable = true > > rdns = false > > # default_realm = EXAMPLE.COM > > default_ccache_name = KEYRING:persistent:%{uid} > > [realms] > > # EXAMPLE.COM = { > > # kdc = kerberos.example.com > > # admin_server = kerberos.example.com > > # } > > [domain_realm] > > # .example.com = EXAMPLE.COM > > # example.com = EXAMPLE.COM > > [root@prddb1]# Ok, I agree with the others then, we need to see the full ipaclient-install.log. This file looks fine which means the temporary one that is configured must be bad in some way. The log will tell how. rob > > Gady > > -----Original Message----- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: April 20, 2016 3:14 PM > To: Gady Notrica; Martin Basti; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] ipa-client-install errors > > Gady Notrica wrote: > > > Thank you guys for your help. > > > > > > Still can't enroll the client. Any suggestion on the errors below? > > > > > > /Kerberos authentication failed: kinit: Improper format of Kerberos > > > configuration file while initializing Kerberos 5 library/ > > What does /etc/krb5.conf look like? > > > Installation failed. Rolling back changes. > > > > > > /Failed to list certificates in /etc/ipa/nssdb: Command > > > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > > > exit status 255/ > > This is unrelated to the enrollment problem. > > rob > > > > > > Disabling client Kerberos and LDAP configurations > > > > > > Gady Notrica > > > > > > -----Original Message----- > > > From: freeipa-users-boun...@redhat.com > <mailto:freeipa-users-boun...@redhat.com> > > > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica > > > Sent: April 20, 2016 2:12 PM > > > To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com > <mailto:freeipa-users@redhat.com> > > > Subject: Re: [Freeipa-users] ipa-client-install errors > > > > > > Any specific command in particular to remove that keytab? > > > > > > Since these don't work > > > > > > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab > > > Kerberos context initialization failed > > > > > > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k > > > /etc/krb5.keytab Kerberos context initialization failed > > > > > > [root@cprddb1 /]# > > > > > > Gady > > > > > > -----Original Message----- > > > > > > From: Rob Crittenden [mailto:rcrit...@redhat.com] > > > > > > Sent: April 20, 2016 1:59 PM > > > > > > To: Martin Basti; Gady Notrica; freeipa-users@redhat.com > <mailto:freeipa-users@redhat.com> > > > <mailto:freeipa-users@redhat.com> > > > > > > Subject: Re: [Freeipa-users] ipa-client-install errors > > > > > > Martin Basti wrote: > > > > > > > > > > > > > > > > > > > > > On 20.04.2016 18:00, Gady Notrica wrote: > > > > > > >> > > > > > > >> Hello World, > > > > > > >> > > > > > > >> I am having these errors trying to install ipa-client-install. > > > Every > > > > > > >> other machine is fine and they IPA servers are functioning > > > perfectly > > > > > > >> > > > > > > >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 > > > > > > >> > > > > > > >> Kerberos authentication failed: kinit: Improper format of > Kerberos > > > > > > >> configuration file while initializing Kerberos 5 library > > > > > > >> > > > > > > >> Then I have "/Installation failed. Rolling back changes."/ > > > > > > >> > > > > > > >> I have tried everything I know with no luck. Any idea on how to > > > FIX > > > > > > >> this? Below is the full log. > > > > > > >> > > > > > > >> ----------------------------------------------------------- > > > > > > >> > > > > > > >> /Continue to configure the system with these values? [no]: yes/ > > > > > > >> > > > > > > >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned > 1/ > > > > > > >> > > > > > > >> /Skipping synchronizing time with NTP server./ > > > > > > >> > > > > > > >> /User authorized to enroll computers: admin/ > > > > > > >> > > > > > > >> /Password for ad...@ipa.domain.com:/ > <mailto:ad...@ipa.domain.com:/> > > > <mailto:ad...@ipa.domain.com:/> > > > > > > >> > > > > > > >> /Please make sure the following ports are opened in the > firewall > > > > > > >> settings:/ > > > > > > >> > > > > > > >> /TCP: 80, 88, 389/ > > > > > > >> > > > > > > >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ > > > > > > >> > > > > > > >> /Also note that following ports are necessary for ipa-client > > > working > > > > > > >> properly after enrollment:/ > > > > > > >> > > > > > > >> /TCP: 464/ > > > > > > >> > > > > > > >> /UDP: 464, 123 (if NTP enabled)/ > > > > > > >> > > > > > > >> /Kerberos authentication failed: kinit: Improper format of > > > Kerberos > > > > > > >> configuration file while initializing Kerberos 5 library/ > > > > > > >> > > > > > > >> // > > > > > > >> > > > > > > >> /Installation failed. Rolling back changes./ > > > > > > >> > > > > > > >> /Failed to list certificates in /etc/ipa/nssdb: Command > > > > > > >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned > non-zero > > > > > > >> exit status 255/ > > > > > > >> > > > > > > >> /Disabling client Kerberos and LDAP configurations/ > > > > > > >> > > > > > > >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was > moved > > > to > > > > > > >> /etc/sssd/sssd.conf.deleted/ > > > > > > >> > > > > > > >> /Restoring client configuration files/ > > > > > > >> > > > > > > >> /nscd daemon is not installed, skip configuration/ > > > > > > >> > > > > > > >> /nslcd daemon is not installed, skip configuration/ > > > > > > >> > > > > > > >> /Client uninstall complete./ > > > > > > >> > > > > > > >> > /---------------------------------------------------------------/ > > > > > > >> > > > > > > >> Gady > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > > Hello, > > > > > > > > > > > > > > IMO you have an old invalid keytab on that machine. Can you > > > manually > > > > > > > remove it and try to reinstall client? (Of course only if you > are > > > sure > > > > > > > that keytab there is not needed) > > > > > > > > > > > > > > The keytab should be located here /etc/krb5.keytab > > > > > > That or /etc/krb5.conf is messed up in some way. > > > > > > rob > > > > > > -- > > > > > > Manage your subscription for the Freeipa-users mailing list: > > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > Go to http://freeipa.org for more info on the project > > > >
ipaclient-install.log
Description: ipaclient-install.log
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project