MartinThanks for the reply. tail -f /var/log/krb5kdc.log | grep client1.example.com had nothing during a failed ipa client install and plenty activities during a good install. And sorry, I missed a big piece of information. Debug log showed ipa-getkeytab: ../../../libraries/libldap/extended.c:177: ldap_parse_extended_result: Assertion `res != ((void *)0)' failed. Basically /etc/krb5.keytab didn't get created. I always wonder why we needed "-ca-cert-file=/etc/ipa/ca.crt", so I ran the ipa-client-install without it. I tested install twenty times and no failure. ca.crt I provide and ipa-client-install downloaded are identical.
On Friday, April 22, 2016 3:09 AM, Martin Babinsky <mbabi...@redhat.com> wrote: On 04/21/2016 11:14 PM, Ask Stack wrote: > Half the time ipa-client-install will fail at getting the TGT. Google > showed posts like, Bug 845691 – ipa-client-install Failed to obtain host > TGT <https://bugzilla.redhat.com/show_bug.cgi?id=845691>. I reduced > _kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' > '_kerberos._udp' to one server entry only. But it didn't help to reduce > the failure rate. Thanks for your help. > > > cleint > ipa-client-3.0.0-47.el6_7.2.x86_64 > > server > ipa-server-3.0.0-47.el6_7.1.x86_64 > > ipa-client-install --hostname=client1.example.com > --server=ipa-server.example.com --domain=example.com -N --mkhomedir > --unattended -p ipa...@example.com -w 'password1' > --ca-cert-file=/etc/ipa/ca.crt -d > ... > ... > Enrolled in IPA realm EXAMPLE.COM > args=kdestroy > stdout= > stderr= > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example....@example.com > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example....@example.com > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example....@example.com > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example....@example.com > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example....@example.com > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > Failed to obtain host TGT. > > > > > > Hello, can you please provide KDC log from the server you are enrolling against? IIRC it should be in /var/log/krb5kdc.log -- Martin^3 Babinsky
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project