[root@cd-s-prd-db1 krb5.include.d]# ls -l -rw-r--r--. 1 root root 224 Apr 9 07:24 domain_realm_ipa_candeal_ca
-rw-r--r--. 1 root root 118 Apr 9 07:24 localauth_plugin [root@cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca # Generated by NetworkManager search ipa.candeal.ca nameserver 172.20.10.40 nameserver 172.20.10.41 [root@cd-s-prd-db1 krb5.include.d]# cat localauth_plugin [domain_realm] .AD.candeal.ca = AD.CANDEAL.CA AD.candeal.ca = AD.CANDEAL.CA [capaths] [root@cd-s-prd-db1 krb5.include.d]# uname -a Linux cd-s-prd-db1.ipa.candeal.ca 3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31 16:04:38 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux It's Centos 7. Gady -----Original Message----- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 4:04 PM To: Gady Notrica; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Ok, Gady sent the complete file out-of-band and the temporary krb5.conf the client installer creates looks ok. It does include files from /var/lib/sss/pubconf/krb5.include.d/. Can you see if there are any files in there and if so, what the contents are? BTW, what distro and release of ipa-client is this? thanks rob Rob Crittenden wrote: > Gady Notrica wrote: >> Please find below the kr5.conf. Still has with original content. >> >> [root@prddb1]# ipa-client-install >> >> Discovery was successful! >> >> ... >> >> Continue to configure the system with these values? [no]: yes >> >> .... >> >> Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library >> >> Installation failed. Rolling back changes. >> >> Failed to list certificates in /etc/ipa/nssdb: Command >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> exit status 255 >> >> Disabling client Kerberos and LDAP configurations >> >> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to >> /etc/sssd/sssd.conf.deleted >> >> .... >> >> Client uninstall complete. >> >> [root@prddb1]# cat /etc/krb5.conf >> >> [logging] >> >> default = FILE:/var/log/krb5libs.log >> >> kdc = FILE:/var/log/krb5kdc.log >> >> admin_server = FILE:/var/log/kadmind.log >> >> [libdefaults] >> >> dns_lookup_realm = false >> >> ticket_lifetime = 24h >> >> renew_lifetime = 7d >> >> forwardable = true >> >> rdns = false >> >> # default_realm = EXAMPLE.COM >> >> default_ccache_name = KEYRING:persistent:%{uid} >> >> [realms] >> >> # EXAMPLE.COM = { >> >> # kdc = kerberos.example.com >> >> # admin_server = kerberos.example.com >> >> # } >> >> [domain_realm] >> >> # .example.com = EXAMPLE.COM >> >> # example.com = EXAMPLE.COM >> >> [root@prddb1]# > > Ok, I agree with the others then, we need to see the full > ipaclient-install.log. This file looks fine which means the temporary > one that is configured must be bad in some way. The log will tell how. > > rob > >> >> Gady >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcrit...@redhat.com] >> Sent: April 20, 2016 3:14 PM >> To: Gady Notrica; Martin Basti; >> freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> >> Subject: Re: [Freeipa-users] ipa-client-install errors >> >> Gady Notrica wrote: >> >> > Thank you guys for your help. >> >> > >> >> > Still can't enroll the client. Any suggestion on the errors below? >> >> > >> >> > /Kerberos authentication failed: kinit: Improper format of >> Kerberos >> >> > configuration file while initializing Kerberos 5 library/ >> >> What does /etc/krb5.conf look like? >> >> > Installation failed. Rolling back changes. >> >> > >> >> > /Failed to list certificates in /etc/ipa/nssdb: Command >> >> > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> >> > exit status 255/ >> >> This is unrelated to the enrollment problem. >> >> rob >> >> > >> >> > Disabling client Kerberos and LDAP configurations >> >> > >> >> > Gady Notrica >> >> > >> >> > -----Original Message----- >> >> > From: >> freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> >> <mailto:freeipa-users-boun...@redhat.com> >> >> > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady >> Notrica >> >> > Sent: April 20, 2016 2:12 PM >> >> > To: Rob Crittenden; Martin Basti; >> freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> >> <mailto:freeipa-users@redhat.com> >> >> > Subject: Re: [Freeipa-users] ipa-client-install errors >> >> > >> >> > Any specific command in particular to remove that keytab? >> >> > >> >> > Since these don't work >> >> > >> >> > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab >> >> > Kerberos context initialization failed >> >> > >> >> > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k >> >> > /etc/krb5.keytab Kerberos context initialization failed >> >> > >> >> > [root@cprddb1 /]# >> >> > >> >> > Gady >> >> > >> >> > -----Original Message----- >> >> > >> >> > From: Rob Crittenden [mailto:rcrit...@redhat.com] >> >> > >> >> > Sent: April 20, 2016 1:59 PM >> >> > >> >> > To: Martin Basti; Gady Notrica; >> freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> >> <mailto:freeipa-users@redhat.com> >> >> > <mailto:freeipa-users@redhat.com> >> >> > >> >> > Subject: Re: [Freeipa-users] ipa-client-install errors >> >> > >> >> > Martin Basti wrote: >> >> > >> >> > > >> >> > >> >> > > >> >> > >> >> > > On 20.04.2016 18:00, Gady Notrica wrote: >> >> > >> >> > >> >> >> > >> >> > >> Hello World, >> >> > >> >> > >> >> >> > >> >> > >> I am having these errors trying to install ipa-client-install. >> >> > Every >> >> > >> >> > >> other machine is fine and they IPA servers are functioning >> >> > perfectly >> >> > >> >> > >> >> >> > >> >> > >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned >> 1 >> >> > >> >> > >> >> >> > >> >> > >> Kerberos authentication failed: kinit: Improper format of >> Kerberos >> >> > >> >> > >> configuration file while initializing Kerberos 5 library >> >> > >> >> > >> >> >> > >> >> > >> Then I have "/Installation failed. Rolling back changes."/ >> >> > >> >> > >> >> >> > >> >> > >> I have tried everything I know with no luck. Any idea on how >> to >> >> > FIX >> >> > >> >> > >> this? Below is the full log. >> >> > >> >> > >> >> >> > >> >> > >> ----------------------------------------------------------- >> >> > >> >> > >> >> >> > >> >> > >> /Continue to configure the system with these values? [no]: >> yes/ >> >> > >> >> > >> >> >> > >> >> > >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned >> 1/ >> >> > >> >> > >> >> >> > >> >> > >> /Skipping synchronizing time with NTP server./ >> >> > >> >> > >> >> >> > >> >> > >> /User authorized to enroll computers: admin/ >> >> > >> >> > >> >> >> > >> >> > >> /Password for ad...@ipa.domain.com:/<mailto:ad...@ipa.domain.com:/> >> <mailto:ad...@ipa.domain.com:/> >> >> > <mailto:ad...@ipa.domain.com:/> >> >> > >> >> > >> >> >> > >> >> > >> /Please make sure the following ports are opened in the >> firewall >> >> > >> >> > >> settings:/ >> >> > >> >> > >> >> >> > >> >> > >> /TCP: 80, 88, 389/ >> >> > >> >> > >> >> >> > >> >> > >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ >> >> > >> >> > >> >> >> > >> >> > >> /Also note that following ports are necessary for ipa-client >> >> > working >> >> > >> >> > >> properly after enrollment:/ >> >> > >> >> > >> >> >> > >> >> > >> /TCP: 464/ >> >> > >> >> > >> >> >> > >> >> > >> /UDP: 464, 123 (if NTP enabled)/ >> >> > >> >> > >> >> >> > >> >> > >> /Kerberos authentication failed: kinit: Improper format of >> >> > Kerberos >> >> > >> >> > >> configuration file while initializing Kerberos 5 library/ >> >> > >> >> > >> >> >> > >> >> > >> // >> >> > >> >> > >> >> >> > >> >> > >> /Installation failed. Rolling back changes./ >> >> > >> >> > >> >> >> > >> >> > >> /Failed to list certificates in /etc/ipa/nssdb: Command >> >> > >> >> > >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned >> non-zero >> >> > >> >> > >> exit status 255/ >> >> > >> >> > >> >> >> > >> >> > >> /Disabling client Kerberos and LDAP configurations/ >> >> > >> >> > >> >> >> > >> >> > >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was >> moved >> >> > to >> >> > >> >> > >> /etc/sssd/sssd.conf.deleted/ >> >> > >> >> > >> >> >> > >> >> > >> /Restoring client configuration files/ >> >> > >> >> > >> >> >> > >> >> > >> /nscd daemon is not installed, skip configuration/ >> >> > >> >> > >> >> >> > >> >> > >> /nslcd daemon is not installed, skip configuration/ >> >> > >> >> > >> >> >> > >> >> > >> /Client uninstall complete./ >> >> > >> >> > >> >> >> > >> >> > >> >> /---------------------------------------------------------------/ >> >> > >> >> > >> >> >> > >> >> > >> Gady >> >> > >> >> > >> >> >> > >> >> > >> >> >> > >> >> > >> >> >> > >> >> > > Hello, >> >> > >> >> > > >> >> > >> >> > > IMO you have an old invalid keytab on that machine. Can you >> >> > manually >> >> > >> >> > > remove it and try to reinstall client? (Of course only if you >> are >> >> > sure >> >> > >> >> > > that keytab there is not needed) >> >> > >> >> > > >> >> > >> >> > > The keytab should be located here /etc/krb5.keytab >> >> > >> >> > That or /etc/krb5.conf is messed up in some way. >> >> > >> >> > rob >> >> > >> >> > -- >> >> > >> >> > Manage your subscription for the Freeipa-users mailing list: >> >> > >> >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > >> >> > Go to http://freeipa.org for more info on the project >> >> > >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
