Ok, Gady sent the complete file out-of-band and the temporary krb5.conf
the client installer creates looks ok. It does include files from
/var/lib/sss/pubconf/krb5.include.d/. Can you see if there are any files
in there and if so, what the contents are?
BTW, what distro and release of ipa-client is this?
thanks
rob
Rob Crittenden wrote:
Gady Notrica wrote:
Please find below the kr5.conf. Still has with original content.
[root@prddb1]# ipa-client-install
Discovery was successful!
...
Continue to configure the system with these values? [no]: yes
....
Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library
Installation failed. Rolling back changes.
Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
status 255
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted
....
Client uninstall complete.
[root@prddb1]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
[root@prddb1]#
Ok, I agree with the others then, we need to see the full
ipaclient-install.log. This file looks fine which means the temporary
one that is configured must be bad in some way. The log will tell how.
rob
Gady
-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 3:14 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors
Gady Notrica wrote:
> Thank you guys for your help.
>
> Still can't enroll the client. Any suggestion on the errors below?
>
> /Kerberos authentication failed: kinit: Improper format of Kerberos
> configuration file while initializing Kerberos 5 library/
What does /etc/krb5.conf look like?
> Installation failed. Rolling back changes.
>
> /Failed to list certificates in /etc/ipa/nssdb: Command
> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
> exit status 255/
This is unrelated to the enrollment problem.
rob
>
> Disabling client Kerberos and LDAP configurations
>
> Gady Notrica
>
> -----Original Message-----
> From: freeipa-users-boun...@redhat.com
<mailto:freeipa-users-boun...@redhat.com>
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
> Sent: April 20, 2016 2:12 PM
> To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com>
> Subject: Re: [Freeipa-users] ipa-client-install errors
>
> Any specific command in particular to remove that keytab?
>
> Since these don't work
>
> [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
> Kerberos context initialization failed
>
> [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k
> /etc/krb5.keytab Kerberos context initialization failed
>
> [root@cprddb1 /]#
>
> Gady
>
> -----Original Message-----
>
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
>
> Sent: April 20, 2016 1:59 PM
>
> To: Martin Basti; Gady Notrica; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com>
> <mailto:freeipa-users@redhat.com>
>
> Subject: Re: [Freeipa-users] ipa-client-install errors
>
> Martin Basti wrote:
>
> >
>
> >
>
> > On 20.04.2016 18:00, Gady Notrica wrote:
>
> >>
>
> >> Hello World,
>
> >>
>
> >> I am having these errors trying to install ipa-client-install.
> Every
>
> >> other machine is fine and they IPA servers are functioning
> perfectly
>
> >>
>
> >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
>
> >>
>
> >> Kerberos authentication failed: kinit: Improper format of Kerberos
>
> >> configuration file while initializing Kerberos 5 library
>
> >>
>
> >> Then I have "/Installation failed. Rolling back changes."/
>
> >>
>
> >> I have tried everything I know with no luck. Any idea on how to
> FIX
>
> >> this? Below is the full log.
>
> >>
>
> >> -----------------------------------------------------------
>
> >>
>
> >> /Continue to configure the system with these values? [no]: yes/
>
> >>
>
> >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/
>
> >>
>
> >> /Skipping synchronizing time with NTP server./
>
> >>
>
> >> /User authorized to enroll computers: admin/
>
> >>
>
> >> /Password for ad...@ipa.domain.com:/
<mailto:ad...@ipa.domain.com:/>
> <mailto:ad...@ipa.domain.com:/>
>
> >>
>
> >> /Please make sure the following ports are opened in the firewall
>
> >> settings:/
>
> >>
>
> >> /TCP: 80, 88, 389/
>
> >>
>
> >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/
>
> >>
>
> >> /Also note that following ports are necessary for ipa-client
> working
>
> >> properly after enrollment:/
>
> >>
>
> >> /TCP: 464/
>
> >>
>
> >> /UDP: 464, 123 (if NTP enabled)/
>
> >>
>
> >> /Kerberos authentication failed: kinit: Improper format of
> Kerberos
>
> >> configuration file while initializing Kerberos 5 library/
>
> >>
>
> >> //
>
> >>
>
> >> /Installation failed. Rolling back changes./
>
> >>
>
> >> /Failed to list certificates in /etc/ipa/nssdb: Command
>
> >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
>
> >> exit status 255/
>
> >>
>
> >> /Disabling client Kerberos and LDAP configurations/
>
> >>
>
> >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved
> to
>
> >> /etc/sssd/sssd.conf.deleted/
>
> >>
>
> >> /Restoring client configuration files/
>
> >>
>
> >> /nscd daemon is not installed, skip configuration/
>
> >>
>
> >> /nslcd daemon is not installed, skip configuration/
>
> >>
>
> >> /Client uninstall complete./
>
> >>
>
> >> /---------------------------------------------------------------/
>
> >>
>
> >> Gady
>
> >>
>
> >>
>
> >>
>
> > Hello,
>
> >
>
> > IMO you have an old invalid keytab on that machine. Can you
> manually
>
> > remove it and try to reinstall client? (Of course only if you are
> sure
>
> > that keytab there is not needed)
>
> >
>
> > The keytab should be located here /etc/krb5.keytab
>
> That or /etc/krb5.conf is messed up in some way.
>
> rob
>
> --
>
> Manage your subscription for the Freeipa-users mailing list:
>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Go to http://freeipa.org for more info on the project
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project