Re: [Freeipa-users] ipa-client-install errors
You guys are awesome # ipa-client-install --enable-dns-updates --mkhomedir --no-ntp Discovery was successful! … Continue to configure the system with these values? [no]: yes … Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf …. Systemwide CA database updated. Added CA certificates to the default NSS database. … Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub …. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring ipa.candeal.ca as NIS domain. Client configuration complete. Gady -Original Message- From: Lukas Slebodnik [mailto:lsleb...@redhat.com] Sent: April 20, 2016 4:16 PM To: Gady Notrica Cc: Rob Crittenden; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors On (20/04/16 20:10), Gady Notrica wrote: >[root@cd-s-prd-db1 krb5.include.d]# ls -l > >-rw-r--r--. 1 root root 224 Apr 9 07:24 domain_realm_ipa_candeal_ca > >-rw-r--r--. 1 root root 118 Apr 9 07:24 localauth_plugin > > > >[root@cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca > ># Generated by NetworkManager > >search ipa.candeal.ca > >nameserver 172.20.10.40 > >nameserver 172.20.10.41 This should be content of /etc/resolv.conf and not domain_realm_ipa_candeal_ca > > > >[root@cd-s-prd-db1 krb5.include.d]# cat localauth_plugin > >[domain_realm] > >.AD.candeal.ca = AD.CANDEAL.CA > >AD.candeal.ca = AD.CANDEAL.CA > >[capaths] > This should be content of domain_realm_ipa_candeal_ca and not localauth_plugin Remove both files. It is safe. They will be created by sssd after start. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install errors
On (20/04/16 20:10), Gady Notrica wrote: >[root@cd-s-prd-db1 krb5.include.d]# ls -l > >-rw-r--r--. 1 root root 224 Apr 9 07:24 domain_realm_ipa_candeal_ca > >-rw-r--r--. 1 root root 118 Apr 9 07:24 localauth_plugin > > > >[root@cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca > ># Generated by NetworkManager > >search ipa.candeal.ca > >nameserver 172.20.10.40 > >nameserver 172.20.10.41 This should be content of /etc/resolv.conf and not domain_realm_ipa_candeal_ca > > > >[root@cd-s-prd-db1 krb5.include.d]# cat localauth_plugin > >[domain_realm] > >.AD.candeal.ca = AD.CANDEAL.CA > >AD.candeal.ca = AD.CANDEAL.CA > >[capaths] > This should be content of domain_realm_ipa_candeal_ca and not localauth_plugin Remove both files. It is safe. They will be created by sssd after start. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install errors
[root@cd-s-prd-db1 krb5.include.d]# ls -l -rw-r--r--. 1 root root 224 Apr 9 07:24 domain_realm_ipa_candeal_ca -rw-r--r--. 1 root root 118 Apr 9 07:24 localauth_plugin [root@cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca # Generated by NetworkManager search ipa.candeal.ca nameserver 172.20.10.40 nameserver 172.20.10.41 [root@cd-s-prd-db1 krb5.include.d]# cat localauth_plugin [domain_realm] .AD.candeal.ca = AD.CANDEAL.CA AD.candeal.ca = AD.CANDEAL.CA [capaths] [root@cd-s-prd-db1 krb5.include.d]# uname -a Linux cd-s-prd-db1.ipa.candeal.ca 3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31 16:04:38 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux It's Centos 7. Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 4:04 PM To: Gady Notrica; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Ok, Gady sent the complete file out-of-band and the temporary krb5.conf the client installer creates looks ok. It does include files from /var/lib/sss/pubconf/krb5.include.d/. Can you see if there are any files in there and if so, what the contents are? BTW, what distro and release of ipa-client is this? thanks rob Rob Crittenden wrote: > Gady Notrica wrote: >> Please find below the kr5.conf. Still has with original content. >> >> [root@prddb1]# ipa-client-install >> >> Discovery was successful! >> >> ... >> >> Continue to configure the system with these values? [no]: yes >> >> >> >> Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library >> >> Installation failed. Rolling back changes. >> >> Failed to list certificates in /etc/ipa/nssdb: Command >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> exit status 255 >> >> Disabling client Kerberos and LDAP configurations >> >> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to >> /etc/sssd/sssd.conf.deleted >> >> >> >> Client uninstall complete. >> >> [root@prddb1]# cat /etc/krb5.conf >> >> [logging] >> >> default = FILE:/var/log/krb5libs.log >> >> kdc = FILE:/var/log/krb5kdc.log >> >> admin_server = FILE:/var/log/kadmind.log >> >> [libdefaults] >> >> dns_lookup_realm = false >> >> ticket_lifetime = 24h >> >> renew_lifetime = 7d >> >> forwardable = true >> >> rdns = false >> >> # default_realm = EXAMPLE.COM >> >> default_ccache_name = KEYRING:persistent:%{uid} >> >> [realms] >> >> # EXAMPLE.COM = { >> >> # kdc = kerberos.example.com >> >> # admin_server = kerberos.example.com >> >> # } >> >> [domain_realm] >> >> # .example.com = EXAMPLE.COM >> >> # example.com = EXAMPLE.COM >> >> [root@prddb1]# > > Ok, I agree with the others then, we need to see the full > ipaclient-install.log. This file looks fine which means the temporary > one that is configured must be bad in some way. The log will tell how. > > rob > >> >> Gady >> >> -Original Message- >> From: Rob Crittenden [mailto:rcrit...@redhat.com] >> Sent: April 20, 2016 3:14 PM >> To: Gady Notrica; Martin Basti; >> freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> >> Subject: Re: [Freeipa-users] ipa-client-install errors >> >> Gady Notrica wrote: >> >> > Thank you guys for your help. >> >> > >> >> > Still can't enroll the client. Any suggestion on the errors below? >> >> > >> >> > /Kerberos authentication failed: kinit: Improper format of >> Kerberos >> >> > configuration file while initializing Kerberos 5 library/ >> >> What does /etc/krb5.conf look like? >> >> > Installation failed. Rolling back changes. >> >> > >> >> > /Failed to list certificates in /etc/ipa/nssdb: Command >> >> > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> >> > exit status 255/ >> >> This is unrelated to the enrollment problem. >> >> rob >> >> > >> >> > Disabling client Kerberos and LDAP configurations >> >> > >> >> > Gady Notrica >> >> > >> >> > -Original Message- >> >>
Re: [Freeipa-users] ipa-client-install errors
Ok, Gady sent the complete file out-of-band and the temporary krb5.conf the client installer creates looks ok. It does include files from /var/lib/sss/pubconf/krb5.include.d/. Can you see if there are any files in there and if so, what the contents are? BTW, what distro and release of ipa-client is this? thanks rob Rob Crittenden wrote: Gady Notrica wrote: Please find below the kr5.conf. Still has with original content. [root@prddb1]# ipa-client-install Discovery was successful! ... Continue to configure the system with these values? [no]: yes Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Installation failed. Rolling back changes. Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255 Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Client uninstall complete. [root@prddb1]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM [root@prddb1]# Ok, I agree with the others then, we need to see the full ipaclient-install.log. This file looks fine which means the temporary one that is configured must be bad in some way. The log will tell how. rob Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 3:14 PM To: Gady Notrica; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Gady Notrica wrote: > Thank you guys for your help. > > Still can't enroll the client. Any suggestion on the errors below? > > /Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library/ What does /etc/krb5.conf look like? > Installation failed. Rolling back changes. > > /Failed to list certificates in /etc/ipa/nssdb: Command > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > exit status 255/ This is unrelated to the enrollment problem. rob > > Disabling client Kerberos and LDAP configurations > > Gady Notrica > > -Original Message- > From: freeipa-users-boun...@redhat.com <mailto:freeipa-users-boun...@redhat.com> > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica > Sent: April 20, 2016 2:12 PM > To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> > Subject: Re: [Freeipa-users] ipa-client-install errors > > Any specific command in particular to remove that keytab? > > Since these don't work > > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab > Kerberos context initialization failed > > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k > /etc/krb5.keytab Kerberos context initialization failed > > [root@cprddb1 /]# > > Gady > > -Original Message- > > From: Rob Crittenden [mailto:rcrit...@redhat.com] > > Sent: April 20, 2016 1:59 PM > > To: Martin Basti; Gady Notrica; freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> > <mailto:freeipa-users@redhat.com> > > Subject: Re: [Freeipa-users] ipa-client-install errors > > Martin Basti wrote: > > > > > > > > > On 20.04.2016 18:00, Gady Notrica wrote: > > >> > > >> Hello World, > > >> > > >> I am having these errors trying to install ipa-client-install. > Every > > >> other machine is fine and they IPA servers are functioning > perfectly > > >> > > >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 > > >> > > >> Kerberos authentication failed: kinit: Improper format of Kerberos > > >> configuration file while initializing Kerberos 5 library > > >> > > >> Then I have "/Installation failed. Rolling back changes."/ > > >> > > >> I have tried everything I know with no luck. Any idea on how to > FIX > > >> this? Below is the full log. &
Re: [Freeipa-users] ipa-client-install errors
Original file attached - no changes to the file Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 3:52 PM To: Gady Notrica; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Gady Notrica wrote: > Please find below the kr5.conf. Still has with original content. > > [root@prddb1]# ipa-client-install > > Discovery was successful! > > ... > > Continue to configure the system with these values? [no]: yes > > > > Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library > > Installation failed. Rolling back changes. > > Failed to list certificates in /etc/ipa/nssdb: Command > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > exit status 255 > > Disabling client Kerberos and LDAP configurations > > Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to > /etc/sssd/sssd.conf.deleted > > > > Client uninstall complete. > > [root@prddb1]# cat /etc/krb5.conf > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > > dns_lookup_realm = false > > ticket_lifetime = 24h > > renew_lifetime = 7d > > forwardable = true > > rdns = false > > # default_realm = EXAMPLE.COM > > default_ccache_name = KEYRING:persistent:%{uid} > > [realms] > > # EXAMPLE.COM = { > > # kdc = kerberos.example.com > > # admin_server = kerberos.example.com > > # } > > [domain_realm] > > # .example.com = EXAMPLE.COM > > # example.com = EXAMPLE.COM > > [root@prddb1]# Ok, I agree with the others then, we need to see the full ipaclient-install.log. This file looks fine which means the temporary one that is configured must be bad in some way. The log will tell how. rob > > Gady > > -Original Message- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: April 20, 2016 3:14 PM > To: Gady Notrica; Martin Basti; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] ipa-client-install errors > > Gady Notrica wrote: > > > Thank you guys for your help. > > > > > > Still can't enroll the client. Any suggestion on the errors below? > > > > > > /Kerberos authentication failed: kinit: Improper format of Kerberos > > > configuration file while initializing Kerberos 5 library/ > > What does /etc/krb5.conf look like? > > > Installation failed. Rolling back changes. > > > > > > /Failed to list certificates in /etc/ipa/nssdb: Command > > > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > > > exit status 255/ > > This is unrelated to the enrollment problem. > > rob > > > > > > Disabling client Kerberos and LDAP configurations > > > > > > Gady Notrica > > > > > > -Original Message- > > > From: freeipa-users-boun...@redhat.com > <mailto:freeipa-users-boun...@redhat.com> > > > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica > > > Sent: April 20, 2016 2:12 PM > > > To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com > <mailto:freeipa-users@redhat.com> > > > Subject: Re: [Freeipa-users] ipa-client-install errors > > > > > > Any specific command in particular to remove that keytab? > > > > > > Since these don't work > > > > > > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab > > > Kerberos context initialization failed > > > > > > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k > > > /etc/krb5.keytab Kerberos context initialization failed > > > > > > [root@cprddb1 /]# > > > > > > Gady > > > > > > -Original Message- > > > > > > From: Rob Crittenden [mailto:rcrit...@redhat.com] > > > > > > Sent: April 20, 2016 1:59 PM > > > > > > To: Martin Basti; Gady Notrica; freeipa-users@redhat.com > <mailto:freeipa-users@redhat.com> > > > <mailto:freeipa-users@redhat.com> > > > > > > Subject: Re: [Freeipa-users] ipa-client-install errors > > > > > > Martin Basti wrote: > > > > > > > > > > > > > > > > > > > > > On 20.04.2016 18:00, Gad
Re: [Freeipa-users] ipa-client-install errors
Gady Notrica wrote: Please find below the kr5.conf. Still has with original content. [root@prddb1]# ipa-client-install Discovery was successful! ... Continue to configure the system with these values? [no]: yes Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Installation failed. Rolling back changes. Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255 Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Client uninstall complete. [root@prddb1]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM [root@prddb1]# Ok, I agree with the others then, we need to see the full ipaclient-install.log. This file looks fine which means the temporary one that is configured must be bad in some way. The log will tell how. rob Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 3:14 PM To: Gady Notrica; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Gady Notrica wrote: > Thank you guys for your help. > > Still can't enroll the client. Any suggestion on the errors below? > > /Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library/ What does /etc/krb5.conf look like? > Installation failed. Rolling back changes. > > /Failed to list certificates in /etc/ipa/nssdb: Command > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > exit status 255/ This is unrelated to the enrollment problem. rob > > Disabling client Kerberos and LDAP configurations > > Gady Notrica > > -Original Message- > From: freeipa-users-boun...@redhat.com <mailto:freeipa-users-boun...@redhat.com> > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica > Sent: April 20, 2016 2:12 PM > To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> > Subject: Re: [Freeipa-users] ipa-client-install errors > > Any specific command in particular to remove that keytab? > > Since these don't work > > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab > Kerberos context initialization failed > > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k > /etc/krb5.keytab Kerberos context initialization failed > > [root@cprddb1 /]# > > Gady > > -Original Message- > > From: Rob Crittenden [mailto:rcrit...@redhat.com] > > Sent: April 20, 2016 1:59 PM > > To: Martin Basti; Gady Notrica; freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> > <mailto:freeipa-users@redhat.com> > > Subject: Re: [Freeipa-users] ipa-client-install errors > > Martin Basti wrote: > > > > > > > > > On 20.04.2016 18:00, Gady Notrica wrote: > > >> > > >> Hello World, > > >> > > >> I am having these errors trying to install ipa-client-install. > Every > > >> other machine is fine and they IPA servers are functioning > perfectly > > >> > > >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 > > >> > > >> Kerberos authentication failed: kinit: Improper format of Kerberos > > >> configuration file while initializing Kerberos 5 library > > >> > > >> Then I have "/Installation failed. Rolling back changes."/ > > >> > > >> I have tried everything I know with no luck. Any idea on how to > FIX > > >> this? Below is the full log. > > >> > > >> --- > > >> > > >> /Continue to configure the system with these values? [no]: yes/ > > >> > > >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ > > >> > >
Re: [Freeipa-users] ipa-client-install errors
Please find below the kr5.conf. Still has with original content. [root@prddb1]# ipa-client-install Discovery was successful! ... Continue to configure the system with these values? [no]: yes Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Installation failed. Rolling back changes. Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255 Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Client uninstall complete. [root@prddb1]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM [root@prddb1]# Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 3:14 PM To: Gady Notrica; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Gady Notrica wrote: > Thank you guys for your help. > > Still can't enroll the client. Any suggestion on the errors below? > > /Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library/ What does /etc/krb5.conf look like? > Installation failed. Rolling back changes. > > /Failed to list certificates in /etc/ipa/nssdb: Command > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > exit status 255/ This is unrelated to the enrollment problem. rob > > Disabling client Kerberos and LDAP configurations > > Gady Notrica > > -Original Message- > From: > freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica > Sent: April 20, 2016 2:12 PM > To: Rob Crittenden; Martin Basti; > freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> > Subject: Re: [Freeipa-users] ipa-client-install errors > > Any specific command in particular to remove that keytab? > > Since these don't work > > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab > Kerberos context initialization failed > > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k > /etc/krb5.keytab Kerberos context initialization failed > > [root@cprddb1 /]# > > Gady > > -Original Message- > > From: Rob Crittenden [mailto:rcrit...@redhat.com] > > Sent: April 20, 2016 1:59 PM > > To: Martin Basti; Gady Notrica; > freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> > <mailto:freeipa-users@redhat.com> > > Subject: Re: [Freeipa-users] ipa-client-install errors > > Martin Basti wrote: > > > > > > > > > On 20.04.2016 18:00, Gady Notrica wrote: > > >> > > >> Hello World, > > >> > > >> I am having these errors trying to install ipa-client-install. > Every > > >> other machine is fine and they IPA servers are functioning > perfectly > > >> > > >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 > > >> > > >> Kerberos authentication failed: kinit: Improper format of Kerberos > > >> configuration file while initializing Kerberos 5 library > > >> > > >> Then I have "/Installation failed. Rolling back changes."/ > > >> > > >> I have tried everything I know with no luck. Any idea on how to > FIX > > >> this? Below is the full log. > > >> > > >> --- > > >> > > >> /Continue to configure the system with these values? [no]: yes/ > > >> > > >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ > > >> > > >> /Skipping synchronizing time with NTP server./ > > >> > > >> /User authorized to enroll computers: admin/ > > >> > > >> /Password for ad...@ipa.domain.com:/<mailto:ad...@ipa.domain.com:/> > <mailto:ad...@ipa.domai
Re: [Freeipa-users] ipa-client-install errors
Gady Notrica wrote: Thank you guys for your help. Still can't enroll the client. Any suggestion on the errors below? /Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library/ What does /etc/krb5.conf look like? Installation failed. Rolling back changes. /Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255/ This is unrelated to the enrollment problem. rob Disabling client Kerberos and LDAP configurations Gady Notrica -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica Sent: April 20, 2016 2:12 PM To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Any specific command in particular to remove that keytab? Since these don't work [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab Kerberos context initialization failed [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k /etc/krb5.keytab Kerberos context initialization failed [root@cprddb1 /]# Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 1:59 PM To: Martin Basti; Gady Notrica; freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] ipa-client-install errors Martin Basti wrote: > > > On 20.04.2016 18:00, Gady Notrica wrote: >> >> Hello World, >> >> I am having these errors trying to install ipa-client-install. Every >> other machine is fine and they IPA servers are functioning perfectly >> >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 >> >> Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library >> >> Then I have "/Installation failed. Rolling back changes."/ >> >> I have tried everything I know with no luck. Any idea on how to FIX >> this? Below is the full log. >> >> --- >> >> /Continue to configure the system with these values? [no]: yes/ >> >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ >> >> /Skipping synchronizing time with NTP server./ >> >> /User authorized to enroll computers: admin/ >> >> /Password for ad...@ipa.domain.com:/ <mailto:ad...@ipa.domain.com:/> >> >> /Please make sure the following ports are opened in the firewall >> settings:/ >> >> /TCP: 80, 88, 389/ >> >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ >> >> /Also note that following ports are necessary for ipa-client working >> properly after enrollment:/ >> >> /TCP: 464/ >> >> /UDP: 464, 123 (if NTP enabled)/ >> >> /Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library/ >> >> // >> >> /Installation failed. Rolling back changes./ >> >> /Failed to list certificates in /etc/ipa/nssdb: Command >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> exit status 255/ >> >> /Disabling client Kerberos and LDAP configurations/ >> >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to >> /etc/sssd/sssd.conf.deleted/ >> >> /Restoring client configuration files/ >> >> /nscd daemon is not installed, skip configuration/ >> >> /nslcd daemon is not installed, skip configuration/ >> >> /Client uninstall complete./ >> >> /---/ >> >> Gady >> >> >> > Hello, > > IMO you have an old invalid keytab on that machine. Can you manually > remove it and try to reinstall client? (Of course only if you are sure > that keytab there is not needed) > > The keytab should be located here /etc/krb5.keytab That or /etc/krb5.conf is messed up in some way. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install errors
Thank you guys for your help. Still can't enroll the client. Any suggestion on the errors below? Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Installation failed. Rolling back changes. Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255 Disabling client Kerberos and LDAP configurations Gady Notrica -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica Sent: April 20, 2016 2:12 PM To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Any specific command in particular to remove that keytab? Since these don't work [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab Kerberos context initialization failed [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k /etc/krb5.keytab Kerberos context initialization failed [root@cprddb1 /]# Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 1:59 PM To: Martin Basti; Gady Notrica; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] ipa-client-install errors Martin Basti wrote: > > > On 20.04.2016 18:00, Gady Notrica wrote: >> >> Hello World, >> >> I am having these errors trying to install ipa-client-install. Every >> other machine is fine and they IPA servers are functioning perfectly >> >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 >> >> Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library >> >> Then I have "/Installation failed. Rolling back changes."/ >> >> I have tried everything I know with no luck. Any idea on how to FIX >> this? Below is the full log. >> >> --- >> >> /Continue to configure the system with these values? [no]: yes/ >> >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ >> >> /Skipping synchronizing time with NTP server./ >> >> /User authorized to enroll computers: admin/ >> >> /Password for ad...@ipa.domain.com:/<mailto:ad...@ipa.domain.com:/> >> >> /Please make sure the following ports are opened in the firewall >> settings:/ >> >> /TCP: 80, 88, 389/ >> >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ >> >> /Also note that following ports are necessary for ipa-client working >> properly after enrollment:/ >> >> /TCP: 464/ >> >> /UDP: 464, 123 (if NTP enabled)/ >> >> /Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library/ >> >> // >> >> /Installation failed. Rolling back changes./ >> >> /Failed to list certificates in /etc/ipa/nssdb: Command >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> exit status 255/ >> >> /Disabling client Kerberos and LDAP configurations/ >> >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to >> /etc/sssd/sssd.conf.deleted/ >> >> /Restoring client configuration files/ >> >> /nscd daemon is not installed, skip configuration/ >> >> /nslcd daemon is not installed, skip configuration/ >> >> /Client uninstall complete./ >> >> /---/ >> >> Gady >> >> >> > Hello, > > IMO you have an old invalid keytab on that machine. Can you manually > remove it and try to reinstall client? (Of course only if you are sure > that keytab there is not needed) > > The keytab should be located here /etc/krb5.keytab That or /etc/krb5.conf is messed up in some way. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install errors
hi Gady, On Wed, Apr 20, 2016 at 8:11 PM, Gady Notricawrote: > Any specific command in particular to remove that keytab? > > Since these don't work > > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab > Kerberos context initialization failed > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k > /etc/krb5.keytab > Kerberos context initialization failed I think that you just need to rm /etc/krb5.keytab and remove the host object in the web interface if it exists. -- groet, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install errors
Any specific command in particular to remove that keytab? Since these don't work [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab Kerberos context initialization failed [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k /etc/krb5.keytab Kerberos context initialization failed [root@cprddb1 /]# Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 1:59 PM To: Martin Basti; Gady Notrica; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Martin Basti wrote: > > > On 20.04.2016 18:00, Gady Notrica wrote: >> >> Hello World, >> >> I am having these errors trying to install ipa-client-install. Every >> other machine is fine and they IPA servers are functioning perfectly >> >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 >> >> Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library >> >> Then I have "/Installation failed. Rolling back changes."/ >> >> I have tried everything I know with no luck. Any idea on how to FIX >> this? Below is the full log. >> >> --- >> >> /Continue to configure the system with these values? [no]: yes/ >> >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ >> >> /Skipping synchronizing time with NTP server./ >> >> /User authorized to enroll computers: admin/ >> >> /Password for ad...@ipa.domain.com:/ >> >> /Please make sure the following ports are opened in the firewall >> settings:/ >> >> /TCP: 80, 88, 389/ >> >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ >> >> /Also note that following ports are necessary for ipa-client working >> properly after enrollment:/ >> >> /TCP: 464/ >> >> /UDP: 464, 123 (if NTP enabled)/ >> >> /Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library/ >> >> // >> >> /Installation failed. Rolling back changes./ >> >> /Failed to list certificates in /etc/ipa/nssdb: Command >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> exit status 255/ >> >> /Disabling client Kerberos and LDAP configurations/ >> >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to >> /etc/sssd/sssd.conf.deleted/ >> >> /Restoring client configuration files/ >> >> /nscd daemon is not installed, skip configuration/ >> >> /nslcd daemon is not installed, skip configuration/ >> >> /Client uninstall complete./ >> >> /---/ >> >> Gady >> >> >> > Hello, > > IMO you have an old invalid keytab on that machine. Can you manually > remove it and try to reinstall client? (Of course only if you are sure > that keytab there is not needed) > > The keytab should be located here /etc/krb5.keytab That or /etc/krb5.conf is messed up in some way. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install errors
Martin Basti wrote: On 20.04.2016 18:00, Gady Notrica wrote: Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Then I have /Installation failed. Rolling back changes./ I have tried everything I know with no luck. Any idea on how to FIX this? Below is the full log. --- /Continue to configure the system with these values? [no]: yes/ /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ /Skipping synchronizing time with NTP server./ /User authorized to enroll computers: admin/ /Password for ad...@ipa.domain.com:/ /Please make sure the following ports are opened in the firewall settings:/ /TCP: 80, 88, 389/ /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ /Also note that following ports are necessary for ipa-client working properly after enrollment:/ /TCP: 464/ /UDP: 464, 123 (if NTP enabled)/ /Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library/ // /Installation failed. Rolling back changes./ /Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255/ /Disabling client Kerberos and LDAP configurations/ /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted/ /Restoring client configuration files/ /nscd daemon is not installed, skip configuration/ /nslcd daemon is not installed, skip configuration/ /Client uninstall complete./ /---/ Gady Hello, IMO you have an old invalid keytab on that machine. Can you manually remove it and try to reinstall client? (Of course only if you are sure that keytab there is not needed) The keytab should be located here /etc/krb5.keytab That or /etc/krb5.conf is messed up in some way. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install errors
Thank you Martin, I have tried many different ways. I can't seem to be able to remove anything in the file. Gady From: Martin Basti [mailto:mba...@redhat.com] Sent: April 20, 2016 12:50 PM To: Gady Notrica; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors On 20.04.2016 18:00, Gady Notrica wrote: Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Then I have "Installation failed. Rolling back changes." I have tried everything I know with no luck. Any idea on how to FIX this? Below is the full log. --- Continue to configure the system with these values? [no]: yes Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for ad...@ipa.domain.com<mailto:ad...@ipa.domain.com>: Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Installation failed. Rolling back changes. Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255 Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. --- Gady Hello, IMO you have an old invalid keytab on that machine. Can you manually remove it and try to reinstall client? (Of course only if you are sure that keytab there is not needed) The keytab should be located here /etc/krb5.keytab Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install errors
On 04/20/2016 07:12 PM, Gady Notrica wrote: Please find attached the install log Gady -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky Sent: April 20, 2016 1:04 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors On 04/20/2016 06:00 PM, Gady Notrica wrote: Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Then I have "/Installation failed. Rolling back changes."/ I have tried everything I know with no luck. Any idea on how to FIX this? Below is the full log. --- /Continue to configure the system with these values? [no]: yes/ /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ /Skipping synchronizing time with NTP server./ /User authorized to enroll computers: admin/ /Password for ad...@ipa.domain.com:/ /Please make sure the following ports are opened in the firewall settings:/ / TCP: 80, 88, 389/ / UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ /Also note that following ports are necessary for ipa-client working properly after enrollment:/ / TCP: 464/ / UDP: 464, 123 (if NTP enabled)/ /Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library/ // /Installation failed. Rolling back changes./ /Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255/ /Disabling client Kerberos and LDAP configurations/ /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted/ /Restoring client configuration files/ /nscd daemon is not installed, skip configuration/ /nslcd daemon is not installed, skip configuration/ /Client uninstall complete./ /---/ Gady We would need to see the whole log, it should be located in '/var/log/ipaclient-install.log' -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project It looks like the log is truncated. Are you sure that this is the full version? -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install errors
Please find attached the install log Gady -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky Sent: April 20, 2016 1:04 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors On 04/20/2016 06:00 PM, Gady Notrica wrote: > Hello World, > > I am having these errors trying to install ipa-client-install. Every > other machine is fine and they IPA servers are functioning perfectly > > Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 > > Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library > > Then I have "/Installation failed. Rolling back changes."/ > > I have tried everything I know with no luck. Any idea on how to FIX > this? Below is the full log. > > --- > > /Continue to configure the system with these values? [no]: yes/ > > /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ > > /Skipping synchronizing time with NTP server./ > > /User authorized to enroll computers: admin/ > > /Password for ad...@ipa.domain.com:/ > > /Please make sure the following ports are opened in the firewall > settings:/ > > / TCP: 80, 88, 389/ > > / UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ > > /Also note that following ports are necessary for ipa-client working > properly after enrollment:/ > > / TCP: 464/ > > / UDP: 464, 123 (if NTP enabled)/ > > /Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library/ > > // > > /Installation failed. Rolling back changes./ > > /Failed to list certificates in /etc/ipa/nssdb: Command > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > exit status 255/ > > /Disabling client Kerberos and LDAP configurations/ > > /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to > /etc/sssd/sssd.conf.deleted/ > > /Restoring client configuration files/ > > /nscd daemon is not installed, skip configuration/ > > /nslcd daemon is not installed, skip configuration/ > > /Client uninstall complete./ > > /---/ > > Gady > > > We would need to see the whole log, it should be located in '/var/log/ipaclient-install.log' -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project # cat /var/log/ipaclient-install.log 2016-04-20T16:04:34Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'ip_addresses': [], 'configure_firefox': False, 'primary': False, 'realm_name': None, 'force_ntpd': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': False, 'on_master': False, 'no_nisdomain': False, 'nisdomain': None, 'ca_cert_file': None, 'principal': None, 'keytab': None, 'hostname': 'cd-s-prd-db1.ipa.domain.com', 'request_cert': False, 'trust_sshfp': False, 'no_ac': False, 'unattended': None, 'all_ip_addresses': False, 'location': None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates': True, 'conf_sudo': True, 'conf_ssh': True, 'force_join': False, 'firefox_dir': None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': True, 'mkhomedir': True, 'uninstall': False} 2016-04-20T16:04:34Z DEBUG missing options might be asked for interactively later 2016-04-20T16:04:34Z DEBUG IPA version 4.2.0-15.0.1.el7.centos.6.1 2016-04-20T16:04:34Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2016-04-20T16:04:34Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2016-04-20T16:04:34Z DEBUG [IPA Discovery] 2016-04-20T16:04:34Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=cd-s-prd-db1.ipa.domain.com 2016-04-20T16:04:34Z DEBUG Start searching for LDAP SRV record in "ipa.domain.com" (domain of the hostname) and its sub-domains 2016-04-20T16:04:34Z DEBUG Search DNS for SRV record of _ldap._tcp.ipa.domain.com 2016-04-20T16:04:34Z DEBUG DNS record found: 0 100 389 idmipa1.ipa.domain.com. 2016-04-20T16:04:34Z DEBUG DNS record found: 0 100 389 idmipa2.ipa.domain.com. 2016-04-20T16:04:34Z DEBUG [Kerberos realm search] 2016-04-20T16:04:34Z DEBUG Search DNS for TXT record of _kerberos.ipa.domain.com 2016-04-20T16:04:34Z DEBUG DNS record found: "IPA.domain.com" 2016-04-20T16:04:34Z DEBUG Search DNS for SRV record of _kerberos._udp.ipa.domain.com 2016-04-20T16:04:34Z DEB
Re: [Freeipa-users] ipa-client-install errors
On 04/20/2016 06:00 PM, Gady Notrica wrote: Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Then I have “/Installation failed. Rolling back changes.”/ I have tried everything I know with no luck. Any idea on how to FIX this? Below is the full log. --- /Continue to configure the system with these values? [no]: yes/ /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ /Skipping synchronizing time with NTP server./ /User authorized to enroll computers: admin/ /Password for ad...@ipa.domain.com:/ /Please make sure the following ports are opened in the firewall settings:/ / TCP: 80, 88, 389/ / UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ /Also note that following ports are necessary for ipa-client working properly after enrollment:/ / TCP: 464/ / UDP: 464, 123 (if NTP enabled)/ /Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library/ // /Installation failed. Rolling back changes./ /Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255/ /Disabling client Kerberos and LDAP configurations/ /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted/ /Restoring client configuration files/ /nscd daemon is not installed, skip configuration/ /nslcd daemon is not installed, skip configuration/ /Client uninstall complete./ /---/ Gady We would need to see the whole log, it should be located in '/var/log/ipaclient-install.log' -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install errors
On 20.04.2016 18:00, Gady Notrica wrote: Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Then I have “/Installation failed. Rolling back changes.”/ I have tried everything I know with no luck. Any idea on how to FIX this? Below is the full log. --- /Continue to configure the system with these values? [no]: yes/ /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ /Skipping synchronizing time with NTP server./ /User authorized to enroll computers: admin/ /Password for ad...@ipa.domain.com:/ /Please make sure the following ports are opened in the firewall settings:/ /TCP: 80, 88, 389/ /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ /Also note that following ports are necessary for ipa-client working properly after enrollment:/ /TCP: 464/ /UDP: 464, 123 (if NTP enabled)/ /Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library/ // /Installation failed. Rolling back changes./ /Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255/ /Disabling client Kerberos and LDAP configurations/ /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted/ /Restoring client configuration files/ /nscd daemon is not installed, skip configuration/ /nslcd daemon is not installed, skip configuration/ /Client uninstall complete./ /---/ Gady Hello, IMO you have an old invalid keytab on that machine. Can you manually remove it and try to reinstall client? (Of course only if you are sure that keytab there is not needed) The keytab should be located here /etc/krb5.keytab Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-client-install errors
Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Then I have "Installation failed. Rolling back changes." I have tried everything I know with no luck. Any idea on how to FIX this? Below is the full log. --- Continue to configure the system with these values? [no]: yes Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for ad...@ipa.domain.com: Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Installation failed. Rolling back changes. Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255 Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. --- Gady -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install errors via kickstart
On 06/26/2011 08:35 AM, Charlie Derwent wrote: On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Charlie Derwent wrote: On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Charlie Derwent wrote: Hi I'm running FreeIPA server on F14 and connecting to a F14 client. When I run ipa-client-install (via kickstart or after the client has installed) I'm getting the following error message. root: DEBUG root: ERRORLDAP Error: Connect error: Start TLS request accepted. Server willing to negotiate SSL Failed to verify that ipa.test.net http://ipa.test.net http://ipa.test.net http://ipa.test.net is an IPA server This may mean that the remote server is not up or is not reachable due to network or firewall settings What version of IPA are you running on the client and server? Server is running 2.0.0.rc3-0 F14 Client is running 2.0.0.rc3-0 RHEL 5.6 Clients are running 2.0-10.el5_6.1 All the boxes are 64-bit How are you invoking ipa-client-install? The error message looks a bit odd and I'm not sure if it is a mail client mucking it up or something else (the addition of http://ipa.test.net) rob Can you check the 389-ds access log to see if you can see the connection and any errors reported with it? Nothing in the access.log on the server. The ipa server is definately up and running, it's still authenticating other servers in the network and when I rebuild the client with rhel or centos it can enroll (almost) without issue (see below). The second issue was this certmonger related bug where certmonger fails to start on new install (https://bugzilla.redhat.com/__show_bug.cgi?id=636894 https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it resolved in Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to restart messagebus after installing certmonger. Should be easy to do in a kickstart. yeah got the killall -HUP dbus-daemon in there now. Cheers Charlie rob Figured it out! Well partly... it's a dependency issue. I installed pretty much everything onto the box and it started to work but on my cut down server no joy. Finding the missing RPM might be a little bit more trickier unless someone could deduce what RPM's absence could cause that error? It's hard cause it may be a dependency for the ipa-client or a dependency of a dependency and so forth! If you are doing a DNS install for the server, you need bind-dyndb-ldap, which is the LDAP backend for the DNS server. Cheers Charlie ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install errors via kickstart
On Mon, Jun 27, 2011 at 2:07 PM, Adam Young ayo...@redhat.com wrote: ** On 06/26/2011 08:35 AM, Charlie Derwent wrote: On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden rcrit...@redhat.comwrote: Charlie Derwent wrote: On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Charlie Derwent wrote: Hi I'm running FreeIPA server on F14 and connecting to a F14 client. When I run ipa-client-install (via kickstart or after the client has installed) I'm getting the following error message. root: DEBUG root: ERRORLDAP Error: Connect error: Start TLS request accepted. Server willing to negotiate SSL Failed to verify that ipa.test.net http://ipa.test.net http://ipa.test.net is an IPA server This may mean that the remote server is not up or is not reachable due to network or firewall settings What version of IPA are you running on the client and server? Server is running 2.0.0.rc3-0 F14 Client is running 2.0.0.rc3-0 RHEL 5.6 Clients are running 2.0-10.el5_6.1 All the boxes are 64-bit How are you invoking ipa-client-install? The error message looks a bit odd and I'm not sure if it is a mail client mucking it up or something else (the addition of http://ipa.test.net) rob Can you check the 389-ds access log to see if you can see the connection and any errors reported with it? Nothing in the access.log on the server. The ipa server is definately up and running, it's still authenticating other servers in the network and when I rebuild the client with rhel or centos it can enroll (almost) without issue (see below). The second issue was this certmonger related bug where certmonger fails to start on new install (https://bugzilla.redhat.com/__show_bug.cgi?id=636894 https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it resolved in Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to restart messagebus after installing certmonger. Should be easy to do in a kickstart. yeah got the killall -HUP dbus-daemon in there now. Cheers Charlie rob Figured it out! Well partly... it's a dependency issue. I installed pretty much everything onto the box and it started to work but on my cut down server no joy. Finding the missing RPM might be a little bit more trickier unless someone could deduce what RPM's absence could cause that error? It's hard cause it may be a dependency for the ipa-client or a dependency of a dependency and so forth! If you are doing a DNS install for the server, you need bind-dyndb-ldap, which is the LDAP backend for the DNS server. This was a client side issue (apologies for saying cut down server I meant server in a hardware sense rather that server/client model). But yeah bind-dyndb-ldap is installed on my server. Charlie Cheers Charlie ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install errors via kickstart
Charlie Derwent wrote: On Mon, Jun 27, 2011 at 2:07 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: __ On 06/26/2011 08:35 AM, Charlie Derwent wrote: On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Charlie Derwent wrote: On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Charlie Derwent wrote: Hi I'm running FreeIPA server on F14 and connecting to a F14 client. When I run ipa-client-install (via kickstart or after the client has installed) I'm getting the following error message. root: DEBUG root: ERRORLDAP Error: Connect error: Start TLS request accepted. Server willing to negotiate SSL Failed to verify that ipa.test.net http://ipa.test.net http://ipa.test.net http://ipa.test.net is an IPA server This may mean that the remote server is not up or is not reachable due to network or firewall settings What version of IPA are you running on the client and server? Server is running 2.0.0.rc3-0 F14 Client is running 2.0.0.rc3-0 RHEL 5.6 Clients are running 2.0-10.el5_6.1 All the boxes are 64-bit How are you invoking ipa-client-install? The error message looks a bit odd and I'm not sure if it is a mail client mucking it up or something else (the addition of http://ipa.test.net) rob Can you check the 389-ds access log to see if you can see the connection and any errors reported with it? Nothing in the access.log on the server. The ipa server is definately up and running, it's still authenticating other servers in the network and when I rebuild the client with rhel or centos it can enroll (almost) without issue (see below). The second issue was this certmonger related bug where certmonger fails to start on new install (https://bugzilla.redhat.com/__show_bug.cgi?id=636894 https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it resolved in Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to restart messagebus after installing certmonger. Should be easy to do in a kickstart. yeah got the killall -HUP dbus-daemon in there now. Cheers Charlie rob Figured it out! Well partly... it's a dependency issue. I installed pretty much everything onto the box and it started to work but on my cut down server no joy. Finding the missing RPM might be a little bit more trickier unless someone could deduce what RPM's absence could cause that error? It's hard cause it may be a dependency for the ipa-client or a dependency of a dependency and so forth! If you are doing a DNS install for the server, you need bind-dyndb-ldap, which is the LDAP backend for the DNS server. This was a client side issue (apologies for saying cut down server I meant server in a hardware sense rather that server/client model). But yeah bind-dyndb-ldap is installed on my server. A brute force way would be to do rpm -qa list on both installs so we can compare the two and try to find some important difference. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install errors via kickstart
On 06/27/2011 11:01 AM, Rob Crittenden wrote: Charlie Derwent wrote: On Mon, Jun 27, 2011 at 2:07 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: __ On 06/26/2011 08:35 AM, Charlie Derwent wrote: On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Charlie Derwent wrote: On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Charlie Derwent wrote: Hi I'm running FreeIPA server on F14 and connecting to a F14 client. When I run ipa-client-install (via kickstart or after the client has installed) I'm getting the following error message. root: DEBUG root: ERRORLDAP Error: Connect error: Start TLS request accepted. Server willing to negotiate SSL Failed to verify that ipa.test.net http://ipa.test.net http://ipa.test.net http://ipa.test.net is an IPA server This may mean that the remote server is not up or is not reachable due to network or firewall settings What version of IPA are you running on the client and server? Server is running 2.0.0.rc3-0 F14 Client is running 2.0.0.rc3-0 RHEL 5.6 Clients are running 2.0-10.el5_6.1 All the boxes are 64-bit How are you invoking ipa-client-install? The error message looks a bit odd and I'm not sure if it is a mail client mucking it up or something else (the addition of http://ipa.test.net) rob Can you check the 389-ds access log to see if you can see the connection and any errors reported with it? Nothing in the access.log on the server. The ipa server is definately up and running, it's still authenticating other servers in the network and when I rebuild the client with rhel or centos it can enroll (almost) without issue (see below). The second issue was this certmonger related bug where certmonger fails to start on new install (https://bugzilla.redhat.com/__show_bug.cgi?id=636894 https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it resolved in Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to restart messagebus after installing certmonger. Should be easy to do in a kickstart. yeah got the killall -HUP dbus-daemon in there now. Cheers Charlie rob Figured it out! Well partly... it's a dependency issue. I installed pretty much everything onto the box and it started to work but on my cut down server no joy. Finding the missing RPM might be a little bit more trickier unless someone could deduce what RPM's absence could cause that error? It's hard cause it may be a dependency for the ipa-client or a dependency of a dependency and so forth! If you are doing a DNS install for the server, you need bind-dyndb-ldap, which is the LDAP backend for the DNS server. This was a client side issue (apologies for saying cut down server I meant server in a hardware sense rather that server/client model). But yeah bind-dyndb-ldap is installed on my server. A brute force way would be to do rpm -qa list on both installs so we can compare the two and try to find some important difference. rob Would the client install log report an error if something was missing? /var/log/ipaclient-install.log ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install errors via kickstart
On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden rcrit...@redhat.comwrote: Charlie Derwent wrote: Hi I'm running FreeIPA server on F14 and connecting to a F14 client. When I run ipa-client-install (via kickstart or after the client has installed) I'm getting the following error message. root: DEBUG root: ERRORLDAP Error: Connect error: Start TLS request accepted. Server willing to negotiate SSL Failed to verify that ipa.test.net http://ipa.test.net is an IPA server This may mean that the remote server is not up or is not reachable due to network or firewall settings What version of IPA are you running on the client and server? Server is running 2.0.0.rc3-0 F14 Client is running 2.0.0.rc3-0 RHEL 5.6 Clients are running 2.0-10.el5_6.1 All the boxes are 64-bit Can you check the 389-ds access log to see if you can see the connection and any errors reported with it? Nothing in the access.log on the server. The ipa server is definately up and running, it's still authenticating other servers in the network and when I rebuild the client with rhel or centos it can enroll (almost) without issue (see below). The second issue was this certmonger related bug where certmonger fails to start on new install (https://bugzilla.redhat.com/**show_bug.cgi?id=636894https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it resolved in Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to restart messagebus after installing certmonger. Should be easy to do in a kickstart. yeah got the killall -HUP dbus-daemon in there now. Cheers Charlie rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install errors via kickstart
Charlie Derwent wrote: On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Charlie Derwent wrote: Hi I'm running FreeIPA server on F14 and connecting to a F14 client. When I run ipa-client-install (via kickstart or after the client has installed) I'm getting the following error message. root: DEBUG root: ERRORLDAP Error: Connect error: Start TLS request accepted. Server willing to negotiate SSL Failed to verify that ipa.test.net http://ipa.test.net http://ipa.test.net is an IPA server This may mean that the remote server is not up or is not reachable due to network or firewall settings What version of IPA are you running on the client and server? Server is running 2.0.0.rc3-0 F14 Client is running 2.0.0.rc3-0 RHEL 5.6 Clients are running 2.0-10.el5_6.1 All the boxes are 64-bit How are you invoking ipa-client-install? The error message looks a bit odd and I'm not sure if it is a mail client mucking it up or something else (the addition of http://ipa.test.net) rob Can you check the 389-ds access log to see if you can see the connection and any errors reported with it? Nothing in the access.log on the server. The ipa server is definately up and running, it's still authenticating other servers in the network and when I rebuild the client with rhel or centos it can enroll (almost) without issue (see below). The second issue was this certmonger related bug where certmonger fails to start on new install (https://bugzilla.redhat.com/__show_bug.cgi?id=636894 https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it resolved in Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to restart messagebus after installing certmonger. Should be easy to do in a kickstart. yeah got the killall -HUP dbus-daemon in there now. Cheers Charlie rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install errors via kickstart
On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden rcrit...@redhat.com wrote: Charlie Derwent wrote: On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Charlie Derwent wrote: Hi I'm running FreeIPA server on F14 and connecting to a F14 client. When I run ipa-client-install (via kickstart or after the client has installed) I'm getting the following error message. root: DEBUG root: ERRORLDAP Error: Connect error: Start TLS request accepted. Server willing to negotiate SSL Failed to verify that ipa.test.net http://ipa.test.net http://ipa.test.net is an IPA server This may mean that the remote server is not up or is not reachable due to network or firewall settings What version of IPA are you running on the client and server? Server is running 2.0.0.rc3-0 F14 Client is running 2.0.0.rc3-0 RHEL 5.6 Clients are running 2.0-10.el5_6.1 All the boxes are 64-bit How are you invoking ipa-client-install? The error message looks a bit odd and I'm not sure if it is a mail client mucking it up or something else (the addition of http://ipa.test.net) rob Yeah thats a mail client quirk there was only one http://ipa.test.net in my original email. I'm getting the same error if I run ipa-client-install with no switches or ipa-client-install --server=ipa.test.net --domain=test.net --realm=TEST.NEThttp://test.net/etc... there are other switches I have in my kickstart scripts but I'm not at the lab right now so I couldn't tell you what they are, suffice to say I'm connecting without any issue if I rekick a rhel or centos build on the exact same server. The really weird thing is I have an older box I built to F14 a few weeks ago and that's been connected for weeks with the exact same client rpm, I just hope I don't have to rebuild it! Is there anyway to check if the dependencies between the two builds vary? Charlie Can you check the 389-ds access log to see if you can see the connection and any errors reported with it? Nothing in the access.log on the server. The ipa server is definately up and running, it's still authenticating other servers in the network and when I rebuild the client with rhel or centos it can enroll (almost) without issue (see below). The second issue was this certmonger related bug where certmonger fails to start on new install (https://bugzilla.redhat.com/_**_show_bug.cgi?id=636894https://bugzilla.redhat.com/__show_bug.cgi?id=636894 https://bugzilla.redhat.com/**show_bug.cgi?id=636894https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it resolved in Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to restart messagebus after installing certmonger. Should be easy to do in a kickstart. yeah got the killall -HUP dbus-daemon in there now. Cheers Charlie rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install errors via kickstart
Hi, 2.0 or 1.2? Also ppl who know way more than me always seem to want the logs. ;] regards Steven From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Charlie Derwent [shelltoesupers...@gmail.com] Sent: Wednesday, 22 June 2011 9:44 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] ipa-client-install errors via kickstart Hi I'm running FreeIPA server on F14 and connecting to a F14 client. When I run ipa-client-install (via kickstart or after the client has installed) I'm getting the following error message. root: DEBUG root: ERRORLDAP Error: Connect error: Start TLS request accepted. Server willing to negotiate SSL Failed to verify that ipa.test.nethttp://ipa.test.net is an IPA server This may mean that the remote server is not up or is not reachable due to network or firewall settings The ipa server is definately up and running, it's still authenticating other servers in the network and when I rebuild the client with rhel or centos it can enroll (almost) without issue (see below). The second issue was this certmonger related bug where certmonger fails to start on new install (https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it resolved in Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? Thanks Charlie ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install errors via kickstart
Charlie Derwent wrote: Hi I'm running FreeIPA server on F14 and connecting to a F14 client. When I run ipa-client-install (via kickstart or after the client has installed) I'm getting the following error message. root: DEBUG root: ERRORLDAP Error: Connect error: Start TLS request accepted. Server willing to negotiate SSL Failed to verify that ipa.test.net http://ipa.test.net is an IPA server This may mean that the remote server is not up or is not reachable due to network or firewall settings What version of IPA are you running on the client and server? Can you check the 389-ds access log to see if you can see the connection and any errors reported with it? The ipa server is definately up and running, it's still authenticating other servers in the network and when I rebuild the client with rhel or centos it can enroll (almost) without issue (see below). The second issue was this certmonger related bug where certmonger fails to start on new install (https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it resolved in Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to restart messagebus after installing certmonger. Should be easy to do in a kickstart. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users