subject:"\[Freeipa\-users\] ipa\-client\-install errors"

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Gady Notrica

You guys are awesome



# ipa-client-install --enable-dns-updates --mkhomedir --no-ntp

Discovery was successful!

…



Continue to configure the system with these values? [no]: yes

…

Created /etc/ipa/default.conf

New SSSD config will be created

Configured sudoers in /etc/nsswitch.conf

Configured /etc/sssd/sssd.conf

….

Systemwide CA database updated.

Added CA certificates to the default NSS database.

…

Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub

….

SSSD enabled

Configured /etc/openldap/ldap.conf

Configured /etc/ssh/ssh_config

Configured /etc/ssh/sshd_config

Configuring ipa.candeal.ca as NIS domain.

Client configuration complete.



Gady



-Original Message-
From: Lukas Slebodnik [mailto:lsleb...@redhat.com]
Sent: April 20, 2016 4:16 PM
To: Gady Notrica
Cc: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors



On (20/04/16 20:10), Gady Notrica wrote:

>[root@cd-s-prd-db1 krb5.include.d]# ls -l

>

>-rw-r--r--. 1 root root 224 Apr  9 07:24 domain_realm_ipa_candeal_ca

>

>-rw-r--r--. 1 root root 118 Apr  9 07:24 localauth_plugin

>

>

>

>[root@cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca

>

># Generated by NetworkManager

>

>search ipa.candeal.ca

>

>nameserver 172.20.10.40

>

>nameserver 172.20.10.41

This should be content of /etc/resolv.conf and not domain_realm_ipa_candeal_ca



>

>

>

>[root@cd-s-prd-db1 krb5.include.d]# cat localauth_plugin

>

>[domain_realm]

>

>.AD.candeal.ca = AD.CANDEAL.CA

>

>AD.candeal.ca = AD.CANDEAL.CA

>

>[capaths]

>

This should be content of domain_realm_ipa_candeal_ca and not localauth_plugin



Remove both files. It is safe. They will be created by sssd after start.



LS
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Lukas Slebodnik

On (20/04/16 20:10), Gady Notrica wrote:
>[root@cd-s-prd-db1 krb5.include.d]# ls -l
>
>-rw-r--r--. 1 root root 224 Apr  9 07:24 domain_realm_ipa_candeal_ca
>
>-rw-r--r--. 1 root root 118 Apr  9 07:24 localauth_plugin
>
>
>
>[root@cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca
>
># Generated by NetworkManager
>
>search ipa.candeal.ca
>
>nameserver 172.20.10.40
>
>nameserver 172.20.10.41
This should be content of /etc/resolv.conf and not domain_realm_ipa_candeal_ca

>
>
>
>[root@cd-s-prd-db1 krb5.include.d]# cat localauth_plugin
>
>[domain_realm]
>
>.AD.candeal.ca = AD.CANDEAL.CA
>
>AD.candeal.ca = AD.CANDEAL.CA
>
>[capaths]
>
This should be content of domain_realm_ipa_candeal_ca and not localauth_plugin

Remove both files. It is safe. They will be created by sssd
after start.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Gady Notrica

[root@cd-s-prd-db1 krb5.include.d]# ls -l

-rw-r--r--. 1 root root 224 Apr  9 07:24 domain_realm_ipa_candeal_ca

-rw-r--r--. 1 root root 118 Apr  9 07:24 localauth_plugin



[root@cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca

# Generated by NetworkManager

search ipa.candeal.ca

nameserver 172.20.10.40

nameserver 172.20.10.41



[root@cd-s-prd-db1 krb5.include.d]# cat localauth_plugin

[domain_realm]

.AD.candeal.ca = AD.CANDEAL.CA

AD.candeal.ca = AD.CANDEAL.CA

[capaths]



[root@cd-s-prd-db1 krb5.include.d]# uname -a

Linux cd-s-prd-db1.ipa.candeal.ca 3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31 
16:04:38 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux



It's Centos 7.



Gady



-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 4:04 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors



Ok, Gady sent the complete file out-of-band and the temporary krb5.conf the 
client installer creates looks ok. It does include files from 
/var/lib/sss/pubconf/krb5.include.d/. Can you see if there are any files in 
there and if so, what the contents are?



BTW, what distro and release of ipa-client is this?



thanks



rob



Rob Crittenden wrote:

> Gady Notrica wrote:

>> Please find below the kr5.conf. Still has with original content.

>>

>> [root@prddb1]# ipa-client-install

>>

>> Discovery was successful!

>>

>> ...

>>

>> Continue to configure the system with these values? [no]: yes

>>

>> 

>>

>> Kerberos authentication failed: kinit: Improper format of Kerberos

>> configuration file while initializing Kerberos 5 library

>>

>> Installation failed. Rolling back changes.

>>

>> Failed to list certificates in /etc/ipa/nssdb: Command

>> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

>> exit status 255

>>

>> Disabling client Kerberos and LDAP configurations

>>

>> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to

>> /etc/sssd/sssd.conf.deleted

>>

>> 

>>

>> Client uninstall complete.

>>

>> [root@prddb1]# cat /etc/krb5.conf

>>

>> [logging]

>>

>> default = FILE:/var/log/krb5libs.log

>>

>> kdc = FILE:/var/log/krb5kdc.log

>>

>> admin_server = FILE:/var/log/kadmind.log

>>

>> [libdefaults]

>>

>> dns_lookup_realm = false

>>

>> ticket_lifetime = 24h

>>

>> renew_lifetime = 7d

>>

>> forwardable = true

>>

>> rdns = false

>>

>> # default_realm = EXAMPLE.COM

>>

>> default_ccache_name = KEYRING:persistent:%{uid}

>>

>> [realms]

>>

>> # EXAMPLE.COM = {

>>

>> #  kdc = kerberos.example.com

>>

>> #  admin_server = kerberos.example.com

>>

>> # }

>>

>> [domain_realm]

>>

>> # .example.com = EXAMPLE.COM

>>

>> # example.com = EXAMPLE.COM

>>

>> [root@prddb1]#

>

> Ok, I agree with the others then, we need to see the full

> ipaclient-install.log. This file looks fine which means the temporary

> one that is configured must be bad in some way. The log will tell how.

>

> rob

>

>>

>> Gady

>>

>> -Original Message-

>> From: Rob Crittenden [mailto:rcrit...@redhat.com]

>> Sent: April 20, 2016 3:14 PM

>> To: Gady Notrica; Martin Basti; 
>> freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>

>> Subject: Re: [Freeipa-users] ipa-client-install errors

>>

>> Gady Notrica wrote:

>>

>>  > Thank you guys for your help.

>>

>>  >

>>

>>  > Still can't enroll the client. Any suggestion on the errors below?

>>

>>  >

>>

>>  > /Kerberos authentication failed: kinit: Improper format of

>> Kerberos

>>

>>  > configuration file while initializing Kerberos 5 library/

>>

>> What does /etc/krb5.conf look like?

>>

>>  > Installation failed. Rolling back changes.

>>

>>  >

>>

>>  > /Failed to list certificates in /etc/ipa/nssdb: Command

>>

>>  > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

>>

>>  > exit status 255/

>>

>> This is unrelated to the enrollment problem.

>>

>> rob

>>

>>  >

>>

>>  > Disabling client Kerberos and LDAP configurations

>>

>>  >

>>

>>  > Gady Notrica

>>

>>  >

>>

>>  > -Original Message-

>>

>>

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Rob Crittenden

Ok, Gady sent the complete file out-of-band and the temporary krb5.conf 
the client installer creates looks ok. It does include files from 
/var/lib/sss/pubconf/krb5.include.d/. Can you see if there are any files 
in there and if so, what the contents are?


BTW, what distro and release of ipa-client is this?

thanks

rob

Rob Crittenden wrote:

Gady Notrica wrote:

Please find below the kr5.conf. Still has with original content.

[root@prddb1]# ipa-client-install

Discovery was successful!

...

Continue to configure the system with these values? [no]: yes



Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library

Installation failed. Rolling back changes.

Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
status 255

Disabling client Kerberos and LDAP configurations

Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted



Client uninstall complete.

[root@prddb1]# cat /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

dns_lookup_realm = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false

# default_realm = EXAMPLE.COM

default_ccache_name = KEYRING:persistent:%{uid}

[realms]

# EXAMPLE.COM = {

#  kdc = kerberos.example.com

#  admin_server = kerberos.example.com

# }

[domain_realm]

# .example.com = EXAMPLE.COM

# example.com = EXAMPLE.COM

[root@prddb1]#


Ok, I agree with the others then, we need to see the full
ipaclient-install.log. This file looks fine which means the temporary
one that is configured must be bad in some way. The log will tell how.

rob



Gady

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 3:14 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

Gady Notrica wrote:

 > Thank you guys for your help.

 >

 > Still can't enroll the client. Any suggestion on the errors below?

 >

 > /Kerberos authentication failed: kinit: Improper format of Kerberos

 > configuration file while initializing Kerberos 5 library/

What does /etc/krb5.conf look like?

 > Installation failed. Rolling back changes.

 >

 > /Failed to list certificates in /etc/ipa/nssdb: Command

 > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

 > exit status 255/

This is unrelated to the enrollment problem.

rob

 >

 > Disabling client Kerberos and LDAP configurations

 >

 > Gady Notrica

 >

 > -Original Message-

 > From: freeipa-users-boun...@redhat.com
<mailto:freeipa-users-boun...@redhat.com>

 > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica

 > Sent: April 20, 2016 2:12 PM

 > To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com>

 > Subject: Re: [Freeipa-users] ipa-client-install errors

 >

 > Any specific command in particular to remove that keytab?

 >

 > Since these don't work

 >

 > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab

 > Kerberos context initialization failed

 >

 > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k

 > /etc/krb5.keytab Kerberos context initialization failed

 >

 > [root@cprddb1 /]#

 >

 > Gady

 >

 > -Original Message-

 >

 > From: Rob Crittenden [mailto:rcrit...@redhat.com]

 >

 > Sent: April 20, 2016 1:59 PM

 >

 > To: Martin Basti; Gady Notrica; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com>

 > <mailto:freeipa-users@redhat.com>

 >

 > Subject: Re: [Freeipa-users] ipa-client-install errors

 >

 > Martin Basti wrote:

 >

 >  >

 >

 >  >

 >

 >  > On 20.04.2016 18:00, Gady Notrica wrote:

 >

 >  >>

 >

 >  >> Hello World,

 >

 >  >>

 >

 >  >> I am having these errors trying to install ipa-client-install.

 > Every

 >

 >  >> other machine is fine and they IPA servers are functioning

 > perfectly

 >

 >  >>

 >

 >  >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

 >

 >  >>

 >

 >  >> Kerberos authentication failed: kinit: Improper format of Kerberos

 >

 >  >> configuration file while initializing Kerberos 5 library

 >

 >  >>

 >

 >  >> Then I have "/Installation failed. Rolling back changes."/

 >

 >  >>

 >

 >  >> I have tried everything I know with no luck. Any idea on how to

 > FIX

 >

 >  >> this? Below is the full log.

 &

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Gady Notrica

Original file attached - no changes to the file

Gady


-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: April 20, 2016 3:52 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

Gady Notrica wrote:
> Please find below the kr5.conf. Still has with original content.
>
> [root@prddb1]# ipa-client-install
>
> Discovery was successful!
>
> ...
>
> Continue to configure the system with these values? [no]: yes
>
> 
>
> Kerberos authentication failed: kinit: Improper format of Kerberos 
> configuration file while initializing Kerberos 5 library
>
> Installation failed. Rolling back changes.
>
> Failed to list certificates in /etc/ipa/nssdb: Command 
> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero 
> exit status 255
>
> Disabling client Kerberos and LDAP configurations
>
> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
> /etc/sssd/sssd.conf.deleted
>
> 
>
> Client uninstall complete.
>
> [root@prddb1]# cat /etc/krb5.conf
>
> [logging]
>
> default = FILE:/var/log/krb5libs.log
>
> kdc = FILE:/var/log/krb5kdc.log
>
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>
> dns_lookup_realm = false
>
> ticket_lifetime = 24h
>
> renew_lifetime = 7d
>
> forwardable = true
>
> rdns = false
>
> # default_realm = EXAMPLE.COM
>
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
>
> # EXAMPLE.COM = {
>
> #  kdc = kerberos.example.com
>
> #  admin_server = kerberos.example.com
>
> # }
>
> [domain_realm]
>
> # .example.com = EXAMPLE.COM
>
> # example.com = EXAMPLE.COM
>
> [root@prddb1]#

Ok, I agree with the others then, we need to see the full 
ipaclient-install.log. This file looks fine which means the temporary one that 
is configured must be bad in some way. The log will tell how.

rob

>
> Gady
>
> -Original Message-
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: April 20, 2016 3:14 PM
> To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] ipa-client-install errors
>
> Gady Notrica wrote:
>
>  > Thank you guys for your help.
>
>  >
>
>  > Still can't enroll the client. Any suggestion on the errors below?
>
>  >
>
>  > /Kerberos authentication failed: kinit: Improper format of Kerberos
>
>  > configuration file while initializing Kerberos 5 library/
>
> What does /etc/krb5.conf look like?
>
>  > Installation failed. Rolling back changes.
>
>  >
>
>  > /Failed to list certificates in /etc/ipa/nssdb: Command
>
>  > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
>
>  > exit status 255/
>
> This is unrelated to the enrollment problem.
>
> rob
>
>  >
>
>  > Disabling client Kerberos and LDAP configurations
>
>  >
>
>  > Gady Notrica
>
>  >
>
>  > -Original Message-
>
>  > From: freeipa-users-boun...@redhat.com 
> <mailto:freeipa-users-boun...@redhat.com>
>
>  > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
>
>  > Sent: April 20, 2016 2:12 PM
>
>  > To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com 
> <mailto:freeipa-users@redhat.com>
>
>  > Subject: Re: [Freeipa-users] ipa-client-install errors
>
>  >
>
>  > Any specific command in particular to remove that keytab?
>
>  >
>
>  > Since these don't work
>
>  >
>
>  > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
>
>  > Kerberos context initialization failed
>
>  >
>
>  > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k
>
>  > /etc/krb5.keytab Kerberos context initialization failed
>
>  >
>
>  > [root@cprddb1 /]#
>
>  >
>
>  > Gady
>
>  >
>
>  > -Original Message-
>
>  >
>
>  > From: Rob Crittenden [mailto:rcrit...@redhat.com]
>
>  >
>
>  > Sent: April 20, 2016 1:59 PM
>
>  >
>
>  > To: Martin Basti; Gady Notrica; freeipa-users@redhat.com 
> <mailto:freeipa-users@redhat.com>
>
>  > <mailto:freeipa-users@redhat.com>
>
>  >
>
>  > Subject: Re: [Freeipa-users] ipa-client-install errors
>
>  >
>
>  > Martin Basti wrote:
>
>  >
>
>  >  >
>
>  >
>
>  >  >
>
>  >
>
>  >  > On 20.04.2016 18:00, Gad

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Rob Crittenden


Gady Notrica wrote:

Please find below the kr5.conf. Still has with original content.

[root@prddb1]# ipa-client-install

Discovery was successful!

...

Continue to configure the system with these values? [no]: yes



Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library

Installation failed. Rolling back changes.

Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
status 255

Disabling client Kerberos and LDAP configurations

Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted



Client uninstall complete.

[root@prddb1]# cat /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

dns_lookup_realm = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false

# default_realm = EXAMPLE.COM

default_ccache_name = KEYRING:persistent:%{uid}

[realms]

# EXAMPLE.COM = {

#  kdc = kerberos.example.com

#  admin_server = kerberos.example.com

# }

[domain_realm]

# .example.com = EXAMPLE.COM

# example.com = EXAMPLE.COM

[root@prddb1]#


Ok, I agree with the others then, we need to see the full 
ipaclient-install.log. This file looks fine which means the temporary 
one that is configured must be bad in some way. The log will tell how.


rob



Gady

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 3:14 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

Gady Notrica wrote:

 > Thank you guys for your help.

 >

 > Still can't enroll the client. Any suggestion on the errors below?

 >

 > /Kerberos authentication failed: kinit: Improper format of Kerberos

 > configuration file while initializing Kerberos 5 library/

What does /etc/krb5.conf look like?

 > Installation failed. Rolling back changes.

 >

 > /Failed to list certificates in /etc/ipa/nssdb: Command

 > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

 > exit status 255/

This is unrelated to the enrollment problem.

rob

 >

 > Disabling client Kerberos and LDAP configurations

 >

 > Gady Notrica

 >

 > -Original Message-

 > From: freeipa-users-boun...@redhat.com
<mailto:freeipa-users-boun...@redhat.com>

 > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica

 > Sent: April 20, 2016 2:12 PM

 > To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com>

 > Subject: Re: [Freeipa-users] ipa-client-install errors

 >

 > Any specific command in particular to remove that keytab?

 >

 > Since these don't work

 >

 > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab

 > Kerberos context initialization failed

 >

 > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k

 > /etc/krb5.keytab Kerberos context initialization failed

 >

 > [root@cprddb1 /]#

 >

 > Gady

 >

 > -Original Message-

 >

 > From: Rob Crittenden [mailto:rcrit...@redhat.com]

 >

 > Sent: April 20, 2016 1:59 PM

 >

 > To: Martin Basti; Gady Notrica; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com>

 > <mailto:freeipa-users@redhat.com>

 >

 > Subject: Re: [Freeipa-users] ipa-client-install errors

 >

 > Martin Basti wrote:

 >

 >  >

 >

 >  >

 >

 >  > On 20.04.2016 18:00, Gady Notrica wrote:

 >

 >  >>

 >

 >  >> Hello World,

 >

 >  >>

 >

 >  >> I am having these errors trying to install ipa-client-install.

 > Every

 >

 >  >> other machine is fine and they IPA servers are functioning

 > perfectly

 >

 >  >>

 >

 >  >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

 >

 >  >>

 >

 >  >> Kerberos authentication failed: kinit: Improper format of Kerberos

 >

 >  >> configuration file while initializing Kerberos 5 library

 >

 >  >>

 >

 >  >> Then I have "/Installation failed. Rolling back changes."/

 >

 >  >>

 >

 >  >> I have tried everything I know with no luck. Any idea on how to

 > FIX

 >

 >  >> this? Below is the full log.

 >

 >  >>

 >

 >  >> ---

 >

 >  >>

 >

 >  >> /Continue to configure the system with these values? [no]: yes/

 >

 >  >>

 >

 >  >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

 >

 >  >>

 >

 >

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Gady Notrica

Please find below the kr5.conf. Still has with original content.



[root@prddb1]# ipa-client-install

Discovery was successful!

...

Continue to configure the system with these values? [no]: yes



Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library



Installation failed. Rolling back changes.

Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' 
'-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255

Disabling client Kerberos and LDAP configurations

Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
/etc/sssd/sssd.conf.deleted



Client uninstall complete.



[root@prddb1]# cat /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log



[libdefaults]

dns_lookup_realm = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false

# default_realm = EXAMPLE.COM

default_ccache_name = KEYRING:persistent:%{uid}



[realms]

# EXAMPLE.COM = {

#  kdc = kerberos.example.com

#  admin_server = kerberos.example.com

# }



[domain_realm]

# .example.com = EXAMPLE.COM

# example.com = EXAMPLE.COM

[root@prddb1]#



Gady



-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 3:14 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors



Gady Notrica wrote:

> Thank you guys for your help.

>

> Still can't enroll the client. Any suggestion on the errors below?

>

> /Kerberos authentication failed: kinit: Improper format of Kerberos

> configuration file while initializing Kerberos 5 library/



What does /etc/krb5.conf look like?



> Installation failed. Rolling back changes.

>

> /Failed to list certificates in /etc/ipa/nssdb: Command

> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

> exit status 255/



This is unrelated to the enrollment problem.



rob



>

> Disabling client Kerberos and LDAP configurations

>

> Gady Notrica

>

> -Original Message-

> From: 
> freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>

> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica

> Sent: April 20, 2016 2:12 PM

> To: Rob Crittenden; Martin Basti; 
> freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>

> Subject: Re: [Freeipa-users] ipa-client-install errors

>

> Any specific command in particular to remove that keytab?

>

> Since these don't work

>

> [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab

> Kerberos context initialization failed

>

> [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k

> /etc/krb5.keytab Kerberos context initialization failed

>

> [root@cprddb1 /]#

>

> Gady

>

> -Original Message-

>

> From: Rob Crittenden [mailto:rcrit...@redhat.com]

>

> Sent: April 20, 2016 1:59 PM

>

> To: Martin Basti; Gady Notrica; 
> freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>

> <mailto:freeipa-users@redhat.com>

>

> Subject: Re: [Freeipa-users] ipa-client-install errors

>

> Martin Basti wrote:

>

>  >

>

>  >

>

>  > On 20.04.2016 18:00, Gady Notrica wrote:

>

>  >>

>

>  >> Hello World,

>

>  >>

>

>  >> I am having these errors trying to install ipa-client-install.

> Every

>

>  >> other machine is fine and they IPA servers are functioning

> perfectly

>

>  >>

>

>  >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

>

>  >>

>

>  >> Kerberos authentication failed: kinit: Improper format of Kerberos

>

>  >> configuration file while initializing Kerberos 5 library

>

>  >>

>

>  >> Then I have "/Installation failed. Rolling back changes."/

>

>  >>

>

>  >> I have tried everything I know with no luck. Any idea on how to

> FIX

>

>  >> this? Below is the full log.

>

>  >>

>

>  >> ---

>

>  >>

>

>  >> /Continue to configure the system with these values? [no]: yes/

>

>  >>

>

>  >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

>

>  >>

>

>  >> /Skipping synchronizing time with NTP server./

>

>  >>

>

>  >> /User authorized to enroll computers: admin/

>

>  >>

>

>  >> /Password for ad...@ipa.domain.com:/<mailto:ad...@ipa.domain.com:/>

> <mailto:ad...@ipa.domai

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Rob Crittenden


Gady Notrica wrote:

Thank you guys for your help.

Still can't enroll the client. Any suggestion on the errors below?

/Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library/


What does /etc/krb5.conf look like?


Installation failed. Rolling back changes.

/Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
status 255/


This is unrelated to the enrollment problem.

rob



Disabling client Kerberos and LDAP configurations

Gady Notrica

-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
Sent: April 20, 2016 2:12 PM
To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

Any specific command in particular to remove that keytab?

Since these don't work

[root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
Kerberos context initialization failed

[root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k
/etc/krb5.keytab Kerberos context initialization failed

[root@cprddb1 /]#

Gady

-Original Message-

From: Rob Crittenden [mailto:rcrit...@redhat.com]

Sent: April 20, 2016 1:59 PM

To: Martin Basti; Gady Notrica; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com>

Subject: Re: [Freeipa-users] ipa-client-install errors

Martin Basti wrote:

 >

 >

 > On 20.04.2016 18:00, Gady Notrica wrote:

 >>

 >> Hello World,

 >>

 >> I am having these errors trying to install ipa-client-install. Every

 >> other machine is fine and they IPA servers are functioning perfectly

 >>

 >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

 >>

 >> Kerberos authentication failed: kinit: Improper format of Kerberos

 >> configuration file while initializing Kerberos 5 library

 >>

 >> Then I have "/Installation failed. Rolling back changes."/

 >>

 >> I have tried everything I know with no luck. Any idea on how to FIX

 >> this? Below is the full log.

 >>

 >> ---

 >>

 >> /Continue to configure the system with these values? [no]: yes/

 >>

 >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

 >>

 >> /Skipping synchronizing time with NTP server./

 >>

 >> /User authorized to enroll computers: admin/

 >>

 >> /Password for ad...@ipa.domain.com:/ <mailto:ad...@ipa.domain.com:/>

 >>

 >> /Please make sure the following ports are opened in the firewall

 >> settings:/

 >>

 >> /TCP: 80, 88, 389/

 >>

 >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

 >>

 >> /Also note that following ports are necessary for ipa-client working

 >> properly after enrollment:/

 >>

 >> /TCP: 464/

 >>

 >> /UDP: 464, 123 (if NTP enabled)/

 >>

 >> /Kerberos authentication failed: kinit: Improper format of Kerberos

 >> configuration file while initializing Kerberos 5 library/

 >>

 >> //

 >>

 >> /Installation failed. Rolling back changes./

 >>

 >> /Failed to list certificates in /etc/ipa/nssdb: Command

 >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

 >> exit status 255/

 >>

 >> /Disabling client Kerberos and LDAP configurations/

 >>

 >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to

 >> /etc/sssd/sssd.conf.deleted/

 >>

 >> /Restoring client configuration files/

 >>

 >> /nscd daemon is not installed, skip configuration/

 >>

 >> /nslcd daemon is not installed, skip configuration/

 >>

 >> /Client uninstall complete./

 >>

 >> /---/

 >>

 >> Gady

 >>

 >>

 >>

 > Hello,

 >

 > IMO you have an old invalid keytab on that machine. Can you manually

 > remove it and try to reinstall client? (Of course only if you are sure

 > that keytab there is not needed)

 >

 > The keytab should be located here /etc/krb5.keytab

That or /etc/krb5.conf is messed up in some way.

rob

--

Manage your subscription for the Freeipa-users mailing list:

https://www.redhat.com/mailman/listinfo/freeipa-users

Go to http://freeipa.org for more info on the project



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Gady Notrica

Thank you guys for your help.



Still can't enroll the client. Any suggestion on the errors below?



Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library



Installation failed. Rolling back changes.

Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' 
'-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255

Disabling client Kerberos and LDAP configurations



Gady Notrica



-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
Sent: April 20, 2016 2:12 PM
To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors



Any specific command in particular to remove that keytab?



Since these don't work



[root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab Kerberos 
context initialization failed

[root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k /etc/krb5.keytab 
Kerberos context initialization failed

[root@cprddb1 /]#



Gady





-Original Message-

From: Rob Crittenden [mailto:rcrit...@redhat.com]

Sent: April 20, 2016 1:59 PM

To: Martin Basti; Gady Notrica; 
freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>

Subject: Re: [Freeipa-users] ipa-client-install errors



Martin Basti wrote:

>

>

> On 20.04.2016 18:00, Gady Notrica wrote:

>>

>> Hello World,

>>

>> I am having these errors trying to install ipa-client-install. Every

>> other machine is fine and they IPA servers are functioning perfectly

>>

>> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

>>

>> Kerberos authentication failed: kinit: Improper format of Kerberos

>> configuration file while initializing Kerberos 5 library

>>

>> Then I have "/Installation failed. Rolling back changes."/

>>

>> I have tried everything I know with no luck. Any idea on how to FIX

>> this? Below is the full log.

>>

>> ---

>>

>> /Continue to configure the system with these values? [no]: yes/

>>

>> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

>>

>> /Skipping synchronizing time with NTP server./

>>

>> /User authorized to enroll computers: admin/

>>

>> /Password for ad...@ipa.domain.com:/<mailto:ad...@ipa.domain.com:/>

>>

>> /Please make sure the following ports are opened in the firewall

>> settings:/

>>

>> /TCP: 80, 88, 389/

>>

>> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

>>

>> /Also note that following ports are necessary for ipa-client working

>> properly after enrollment:/

>>

>> /TCP: 464/

>>

>> /UDP: 464, 123 (if NTP enabled)/

>>

>> /Kerberos authentication failed: kinit: Improper format of Kerberos

>> configuration file while initializing Kerberos 5 library/

>>

>> //

>>

>> /Installation failed. Rolling back changes./

>>

>> /Failed to list certificates in /etc/ipa/nssdb: Command

>> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

>> exit status 255/

>>

>> /Disabling client Kerberos and LDAP configurations/

>>

>> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to

>> /etc/sssd/sssd.conf.deleted/

>>

>> /Restoring client configuration files/

>>

>> /nscd daemon is not installed, skip configuration/

>>

>> /nslcd daemon is not installed, skip configuration/

>>

>> /Client uninstall complete./

>>

>> /---/

>>

>> Gady

>>

>>

>>

> Hello,

>

> IMO you have an old invalid keytab on that machine. Can you manually

> remove it and try to reinstall client? (Of course only if you are sure

> that keytab there is not needed)

>

> The keytab should be located here /etc/krb5.keytab



That or /etc/krb5.conf is messed up in some way.



rob





--

Manage your subscription for the Freeipa-users mailing list:

https://www.redhat.com/mailman/listinfo/freeipa-users

Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Natxo Asenjo

hi Gady,

On Wed, Apr 20, 2016 at 8:11 PM, Gady Notrica  wrote:

> Any specific command in particular to remove that keytab?
>
> Since these don't work
>
> [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
> Kerberos context initialization failed
> [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k
> /etc/krb5.keytab
> Kerberos context initialization failed


I think that you just need to rm /etc/krb5.keytab and remove the host
object in the web interface if it exists.

-- 
groet,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Gady Notrica

Any specific command in particular to remove that keytab? 

Since these don't work

[root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
Kerberos context initialization failed
[root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k /etc/krb5.keytab
Kerberos context initialization failed
[root@cprddb1 /]#

Gady


-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: April 20, 2016 1:59 PM
To: Martin Basti; Gady Notrica; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

Martin Basti wrote:
>
>
> On 20.04.2016 18:00, Gady Notrica wrote:
>>
>> Hello World,
>>
>> I am having these errors trying to install ipa-client-install. Every 
>> other machine is fine and they IPA servers are functioning perfectly
>>
>> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
>>
>> Kerberos authentication failed: kinit: Improper format of Kerberos 
>> configuration file while initializing Kerberos 5 library
>>
>> Then I have "/Installation failed. Rolling back changes."/
>>
>> I have tried everything I know with no luck. Any idea on how to FIX 
>> this? Below is the full log.
>>
>> ---
>>
>> /Continue to configure the system with these values? [no]: yes/
>>
>> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/
>>
>> /Skipping synchronizing time with NTP server./
>>
>> /User authorized to enroll computers: admin/
>>
>> /Password for ad...@ipa.domain.com:/
>>
>> /Please make sure the following ports are opened in the firewall 
>> settings:/
>>
>> /TCP: 80, 88, 389/
>>
>> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/
>>
>> /Also note that following ports are necessary for ipa-client working 
>> properly after enrollment:/
>>
>> /TCP: 464/
>>
>> /UDP: 464, 123 (if NTP enabled)/
>>
>> /Kerberos authentication failed: kinit: Improper format of Kerberos 
>> configuration file while initializing Kerberos 5 library/
>>
>> //
>>
>> /Installation failed. Rolling back changes./
>>
>> /Failed to list certificates in /etc/ipa/nssdb: Command 
>> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero 
>> exit status 255/
>>
>> /Disabling client Kerberos and LDAP configurations/
>>
>> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
>> /etc/sssd/sssd.conf.deleted/
>>
>> /Restoring client configuration files/
>>
>> /nscd daemon is not installed, skip configuration/
>>
>> /nslcd daemon is not installed, skip configuration/
>>
>> /Client uninstall complete./
>>
>> /---/
>>
>> Gady
>>
>>
>>
> Hello,
>
> IMO you have an old invalid keytab on that machine. Can you manually 
> remove it and try to reinstall client? (Of course only if you are sure 
> that keytab there is not needed)
>
> The keytab should be located here /etc/krb5.keytab

That or /etc/krb5.conf is messed up in some way.

rob


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Rob Crittenden


Martin Basti wrote:



On 20.04.2016 18:00, Gady Notrica wrote:


Hello World,

I am having these errors trying to install ipa-client-install. Every
other machine is fine and they IPA servers are functioning perfectly

Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library

Then I have /Installation failed. Rolling back changes./

I have tried everything I know with no luck. Any idea on how to FIX
this? Below is the full log.

---

/Continue to configure the system with these values? [no]: yes/

/Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

/Skipping synchronizing time with NTP server./

/User authorized to enroll computers: admin/

/Password for ad...@ipa.domain.com:/

/Please make sure the following ports are opened in the firewall
settings:/

/TCP: 80, 88, 389/

/UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

/Also note that following ports are necessary for ipa-client working
properly after enrollment:/

/TCP: 464/

/UDP: 464, 123 (if NTP enabled)/

/Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library/

//

/Installation failed. Rolling back changes./

/Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
exit status 255/

/Disabling client Kerberos and LDAP configurations/

/Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted/

/Restoring client configuration files/

/nscd daemon is not installed, skip configuration/

/nslcd daemon is not installed, skip configuration/

/Client uninstall complete./

/---/

Gady




Hello,

IMO you have an old invalid keytab on that machine. Can you manually
remove it and try to reinstall client? (Of course only if you are sure
that keytab there is not needed)

The keytab should be located here /etc/krb5.keytab


That or /etc/krb5.conf is messed up in some way.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Gady Notrica

Thank you Martin, I have tried many different ways. I can't seem to be able to 
remove anything in the file.

Gady

From: Martin Basti [mailto:mba...@redhat.com]
Sent: April 20, 2016 12:50 PM
To: Gady Notrica; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors


On 20.04.2016 18:00, Gady Notrica wrote:
Hello World,

I am having these errors trying to install ipa-client-install. Every other 
machine is fine and they IPA servers are functioning perfectly

Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library

Then I have "Installation failed. Rolling back changes."

I have tried everything I know with no luck. Any idea on how to FIX this? Below 
is the full log.
---
Continue to configure the system with these values? [no]: yes
Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for ad...@ipa.domain.com<mailto:ad...@ipa.domain.com>:
Please make sure the following ports are opened in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly 
after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library

Installation failed. Rolling back changes.
Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' 
'-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
/etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
---
Gady


Hello,

IMO you have an old invalid keytab on that machine. Can you manually remove it 
and try to reinstall client? (Of course only if you are sure that keytab there 
is not needed)

The keytab should be located here /etc/krb5.keytab

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Martin Babinsky


On 04/20/2016 07:12 PM, Gady Notrica wrote:

Please find attached the install log

Gady

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
Sent: April 20, 2016 1:04 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

On 04/20/2016 06:00 PM, Gady Notrica wrote:

Hello World,

I am having these errors trying to install ipa-client-install. Every
other machine is fine and they IPA servers are functioning perfectly

Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library

Then I have "/Installation failed. Rolling back changes."/

I have tried everything I know with no luck. Any idea on how to FIX
this? Below is the full log.

---

/Continue to configure the system with these values? [no]: yes/

/Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

/Skipping synchronizing time with NTP server./

/User authorized to enroll computers: admin/

/Password for ad...@ipa.domain.com:/

/Please make sure the following ports are opened in the firewall
settings:/

/ TCP: 80, 88, 389/

/ UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

/Also note that following ports are necessary for ipa-client working
properly after enrollment:/

/ TCP: 464/

/ UDP: 464, 123 (if NTP enabled)/

/Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library/

//

/Installation failed. Rolling back changes./

/Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
exit status 255/

/Disabling client Kerberos and LDAP configurations/

/Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted/

/Restoring client configuration files/

/nscd daemon is not installed, skip configuration/

/nslcd daemon is not installed, skip configuration/

/Client uninstall complete./

/---/

Gady




We would need to see the whole log, it should be located in 
'/var/log/ipaclient-install.log'

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

It looks like the log is truncated. Are you sure that this is the full 
version?


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Gady Notrica

Please find attached the install log

Gady

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
Sent: April 20, 2016 1:04 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

On 04/20/2016 06:00 PM, Gady Notrica wrote:
> Hello World,
>
> I am having these errors trying to install ipa-client-install. Every 
> other machine is fine and they IPA servers are functioning perfectly
>
> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
>
> Kerberos authentication failed: kinit: Improper format of Kerberos 
> configuration file while initializing Kerberos 5 library
>
> Then I have "/Installation failed. Rolling back changes."/
>
> I have tried everything I know with no luck. Any idea on how to FIX 
> this? Below is the full log.
>
> ---
>
> /Continue to configure the system with these values? [no]: yes/
>
> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/
>
> /Skipping synchronizing time with NTP server./
>
> /User authorized to enroll computers: admin/
>
> /Password for ad...@ipa.domain.com:/
>
> /Please make sure the following ports are opened in the firewall 
> settings:/
>
> / TCP: 80, 88, 389/
>
> / UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/
>
> /Also note that following ports are necessary for ipa-client working 
> properly after enrollment:/
>
> / TCP: 464/
>
> / UDP: 464, 123 (if NTP enabled)/
>
> /Kerberos authentication failed: kinit: Improper format of Kerberos 
> configuration file while initializing Kerberos 5 library/
>
> //
>
> /Installation failed. Rolling back changes./
>
> /Failed to list certificates in /etc/ipa/nssdb: Command 
> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero 
> exit status 255/
>
> /Disabling client Kerberos and LDAP configurations/
>
> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
> /etc/sssd/sssd.conf.deleted/
>
> /Restoring client configuration files/
>
> /nscd daemon is not installed, skip configuration/
>
> /nslcd daemon is not installed, skip configuration/
>
> /Client uninstall complete./
>
> /---/
>
> Gady
>
>
>
We would need to see the whole log, it should be located in 
'/var/log/ipaclient-install.log'

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
# cat /var/log/ipaclient-install.log
2016-04-20T16:04:34Z DEBUG /usr/sbin/ipa-client-install was invoked with 
options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 
'ip_addresses': [], 'configure_firefox': False, 'primary': False, 'realm_name': 
None, 'force_ntpd': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': 
False, 'on_master': False, 'no_nisdomain': False, 'nisdomain': None, 
'ca_cert_file': None, 'principal': None, 'keytab': None, 'hostname': 
'cd-s-prd-db1.ipa.domain.com', 'request_cert': False, 'trust_sshfp': False, 
'no_ac': False, 'unattended': None, 'all_ip_addresses': False, 'location': 
None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates': 
True, 'conf_sudo': True, 'conf_ssh': True, 'force_join': False, 'firefox_dir': 
None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': 
False, 'preserve_sssd': True, 'mkhomedir': True, 'uninstall': False}
2016-04-20T16:04:34Z DEBUG missing options might be asked for interactively 
later
2016-04-20T16:04:34Z DEBUG IPA version 4.2.0-15.0.1.el7.centos.6.1
2016-04-20T16:04:34Z DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2016-04-20T16:04:34Z DEBUG Loading StateFile from 
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2016-04-20T16:04:34Z DEBUG [IPA Discovery]
2016-04-20T16:04:34Z DEBUG Starting IPA discovery with domain=None, 
servers=None, hostname=cd-s-prd-db1.ipa.domain.com
2016-04-20T16:04:34Z DEBUG Start searching for LDAP SRV record in 
"ipa.domain.com" (domain of the hostname) and its sub-domains
2016-04-20T16:04:34Z DEBUG Search DNS for SRV record of 
_ldap._tcp.ipa.domain.com
2016-04-20T16:04:34Z DEBUG DNS record found: 0 100 389 idmipa1.ipa.domain.com.
2016-04-20T16:04:34Z DEBUG DNS record found: 0 100 389 idmipa2.ipa.domain.com.
2016-04-20T16:04:34Z DEBUG [Kerberos realm search]
2016-04-20T16:04:34Z DEBUG Search DNS for TXT record of _kerberos.ipa.domain.com
2016-04-20T16:04:34Z DEBUG DNS record found: "IPA.domain.com"
2016-04-20T16:04:34Z DEBUG Search DNS for SRV record of 
_kerberos._udp.ipa.domain.com
2016-04-20T16:04:34Z DEB

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Martin Babinsky


On 04/20/2016 06:00 PM, Gady Notrica wrote:

Hello World,

I am having these errors trying to install ipa-client-install. Every
other machine is fine and they IPA servers are functioning perfectly

Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library

Then I have “/Installation failed. Rolling back changes.”/

I have tried everything I know with no luck. Any idea on how to FIX
this? Below is the full log.

---

/Continue to configure the system with these values? [no]: yes/

/Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

/Skipping synchronizing time with NTP server./

/User authorized to enroll computers: admin/

/Password for ad...@ipa.domain.com:/

/Please make sure the following ports are opened in the firewall settings:/

/ TCP: 80, 88, 389/

/ UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

/Also note that following ports are necessary for ipa-client working
properly after enrollment:/

/ TCP: 464/

/ UDP: 464, 123 (if NTP enabled)/

/Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library/

//

/Installation failed. Rolling back changes./

/Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
status 255/

/Disabling client Kerberos and LDAP configurations/

/Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted/

/Restoring client configuration files/

/nscd daemon is not installed, skip configuration/

/nslcd daemon is not installed, skip configuration/

/Client uninstall complete./

/---/

Gady



We would need to see the whole log, it should be located in 
'/var/log/ipaclient-install.log'


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Martin Basti




On 20.04.2016 18:00, Gady Notrica wrote:


Hello World,

I am having these errors trying to install ipa-client-install. Every 
other machine is fine and they IPA servers are functioning perfectly


Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library


Then I have “/Installation failed. Rolling back changes.”/

I have tried everything I know with no luck. Any idea on how to FIX 
this? Below is the full log.


---

/Continue to configure the system with these values? [no]: yes/

/Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

/Skipping synchronizing time with NTP server./

/User authorized to enroll computers: admin/

/Password for ad...@ipa.domain.com:/

/Please make sure the following ports are opened in the firewall 
settings:/


/TCP: 80, 88, 389/

/UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

/Also note that following ports are necessary for ipa-client working 
properly after enrollment:/


/TCP: 464/

/UDP: 464, 123 (if NTP enabled)/

/Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library/


//

/Installation failed. Rolling back changes./

/Failed to list certificates in /etc/ipa/nssdb: Command 
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero 
exit status 255/


/Disabling client Kerberos and LDAP configurations/

/Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
/etc/sssd/sssd.conf.deleted/


/Restoring client configuration files/

/nscd daemon is not installed, skip configuration/

/nslcd daemon is not installed, skip configuration/

/Client uninstall complete./

/---/

Gady




Hello,

IMO you have an old invalid keytab on that machine. Can you manually 
remove it and try to reinstall client? (Of course only if you are sure 
that keytab there is not needed)


The keytab should be located here /etc/krb5.keytab

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install errors

2016-04-20 Thread Gady Notrica

Hello World,

I am having these errors trying to install ipa-client-install. Every other 
machine is fine and they IPA servers are functioning perfectly

Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library

Then I have "Installation failed. Rolling back changes."

I have tried everything I know with no luck. Any idea on how to FIX this? Below 
is the full log.
---
Continue to configure the system with these values? [no]: yes
Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for ad...@ipa.domain.com:
Please make sure the following ports are opened in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly 
after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library

Installation failed. Rolling back changes.
Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' 
'-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
/etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
---
Gady
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors via kickstart

2011-06-27 Thread Adam Young


On 06/26/2011 08:35 AM, Charlie Derwent wrote:



On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden rcrit...@redhat.com 
mailto:rcrit...@redhat.com wrote:


Charlie Derwent wrote:



On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden
rcrit...@redhat.com mailto:rcrit...@redhat.com
mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com wrote:

   Charlie Derwent wrote:

   Hi

   I'm running FreeIPA server on F14 and connecting to a F14
   client. When I
   run ipa-client-install (via kickstart or after the
client has
   installed)
   I'm getting the following error message.

   root: DEBUG
   root: ERRORLDAP Error: Connect error: Start
TLS request
   accepted. Server willing to negotiate SSL
   Failed to verify that ipa.test.net
http://ipa.test.net http://ipa.test.net
http://ipa.test.net is an IPA server

   This may mean that the remote server is not up or is not
   reachable due
   to network or firewall settings


   What version of IPA are you running on the client and server?

Server is running 2.0.0.rc3-0
F14 Client is running  2.0.0.rc3-0
RHEL 5.6 Clients are running 2.0-10.el5_6.1
All the boxes are 64-bit


How are you invoking ipa-client-install? The error message looks a
bit odd and I'm not sure if it is a mail client mucking it up or
something else (the addition of http://ipa.test.net)

rob



   Can you check the 389-ds access log to see if you can see the
   connection and any errors reported with it?

 Nothing in the access.log on the server.




   The ipa server is definately up and running, it's still
   authenticating
   other servers in the network and when I rebuild the
client with
   rhel or
   centos it can enroll (almost) without issue (see below).

   The second issue was this certmonger related bug where
   certmonger fails
   to start on new install
   (https://bugzilla.redhat.com/__show_bug.cgi?id=636894
https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it
   resolved in
   Red Hat 5 as I think i'm expering the issue with my
RH5u6 clients?


   Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix
is to
   restart messagebus after installing certmonger. Should be
easy to do
   in a kickstart.


yeah got the killall -HUP dbus-daemon in there now.

Cheers
Charlie


   rob




Figured it out! Well partly... it's a dependency issue. I installed 
pretty much everything onto the box and it started to work but on my 
cut down server no joy. Finding the missing RPM might be a little bit 
more trickier unless someone could deduce what RPM's absence could 
cause that error?


It's hard cause it may be a dependency for the ipa-client or a 
dependency of a dependency and so forth!



If you are doing a DNS install for the server, you need  
bind-dyndb-ldap, which is the LDAP backend for the DNS server.





Cheers
Charlie


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client-install errors via kickstart

2011-06-27 Thread Charlie Derwent

On Mon, Jun 27, 2011 at 2:07 PM, Adam Young ayo...@redhat.com wrote:

 **
 On 06/26/2011 08:35 AM, Charlie Derwent wrote:



 On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden rcrit...@redhat.comwrote:

 Charlie Derwent wrote:



 On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden rcrit...@redhat.com
  mailto:rcrit...@redhat.com wrote:

Charlie Derwent wrote:

Hi

I'm running FreeIPA server on F14 and connecting to a F14
client. When I
run ipa-client-install (via kickstart or after the client has
installed)
I'm getting the following error message.

root: DEBUG
root: ERRORLDAP Error: Connect error: Start TLS
 request
accepted. Server willing to negotiate SSL
Failed to verify that ipa.test.net http://ipa.test.net
http://ipa.test.net is an IPA server

This may mean that the remote server is not up or is not
reachable due
to network or firewall settings


What version of IPA are you running on the client and server?

 Server is running 2.0.0.rc3-0
 F14 Client is running  2.0.0.rc3-0
 RHEL 5.6 Clients are running 2.0-10.el5_6.1
 All the boxes are 64-bit


 How are you invoking ipa-client-install? The error message looks a bit odd
 and I'm not sure if it is a mail client mucking it up or something else (the
 addition of http://ipa.test.net)

 rob



Can you check the 389-ds access log to see if you can see the
connection and any errors reported with it?

  Nothing in the access.log on the server.




The ipa server is definately up and running, it's still
authenticating
other servers in the network and when I rebuild the client with
rhel or
centos it can enroll (almost) without issue (see below).

The second issue was this certmonger related bug where
certmonger fails
to start on new install
(https://bugzilla.redhat.com/__show_bug.cgi?id=636894
https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it
resolved in
Red Hat 5 as I think i'm expering the issue with my RH5u6 clients?


Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to
restart messagebus after installing certmonger. Should be easy to do
in a kickstart.


 yeah got the killall -HUP dbus-daemon in there now.

 Cheers
 Charlie


rob




 Figured it out! Well partly... it's a dependency issue. I installed pretty
 much everything onto the box and it started to work but on my cut down
 server no joy. Finding the missing RPM might be a little bit more trickier
 unless someone could deduce what RPM's absence could cause that error?

 It's hard cause it may be a dependency for the ipa-client or a dependency
 of a dependency and so forth!


 If you are doing a DNS install for the server, you need  bind-dyndb-ldap,
 which is the LDAP backend for the DNS server.


This was a client side issue (apologies for saying cut down server I meant
server in a hardware sense rather that server/client model). But yeah
bind-dyndb-ldap is installed on my server.

Charlie


 Cheers
 Charlie


 ___
 Freeipa-users mailing 
 listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users



 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client-install errors via kickstart

2011-06-27 Thread Rob Crittenden


Charlie Derwent wrote:



On Mon, Jun 27, 2011 at 2:07 PM, Adam Young ayo...@redhat.com
mailto:ayo...@redhat.com wrote:

__
On 06/26/2011 08:35 AM, Charlie Derwent wrote:



On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden
rcrit...@redhat.com mailto:rcrit...@redhat.com wrote:

Charlie Derwent wrote:



On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden
rcrit...@redhat.com mailto:rcrit...@redhat.com
mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com
wrote:

   Charlie Derwent wrote:

   Hi

   I'm running FreeIPA server on F14 and connecting to
a F14
   client. When I
   run ipa-client-install (via kickstart or after the
client has
   installed)
   I'm getting the following error message.

   root: DEBUG
   root: ERRORLDAP Error: Connect error:
Start TLS request
   accepted. Server willing to negotiate SSL
   Failed to verify that ipa.test.net
http://ipa.test.net http://ipa.test.net
http://ipa.test.net is an IPA server

   This may mean that the remote server is not up or
is not
   reachable due
   to network or firewall settings


   What version of IPA are you running on the client and
server?

Server is running 2.0.0.rc3-0
F14 Client is running  2.0.0.rc3-0
RHEL 5.6 Clients are running 2.0-10.el5_6.1
All the boxes are 64-bit


How are you invoking ipa-client-install? The error message
looks a bit odd and I'm not sure if it is a mail client
mucking it up or something else (the addition of
http://ipa.test.net)

rob



   Can you check the 389-ds access log to see if you can
see the
   connection and any errors reported with it?

 Nothing in the access.log on the server.




   The ipa server is definately up and running, it's still
   authenticating
   other servers in the network and when I rebuild the
client with
   rhel or
   centos it can enroll (almost) without issue (see
below).

   The second issue was this certmonger related bug where
   certmonger fails
   to start on new install
   (https://bugzilla.redhat.com/__show_bug.cgi?id=636894
https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it
   resolved in
   Red Hat 5 as I think i'm expering the issue with my
RH5u6 clients?


   Looks like it wasn't fixed in RHEL 5.x. IIRC the simple
fix is to
   restart messagebus after installing certmonger. Should
be easy to do
   in a kickstart.


yeah got the killall -HUP dbus-daemon in there now.

Cheers
Charlie


   rob




Figured it out! Well partly... it's a dependency issue. I
installed pretty much everything onto the box and it started to
work but on my cut down server no joy. Finding the missing RPM
might be a little bit more trickier unless someone could deduce
what RPM's absence could cause that error?

It's hard cause it may be a dependency for the ipa-client or a
dependency of a dependency and so forth!


If you are doing a DNS install for the server, you need
bind-dyndb-ldap, which is the LDAP backend for the DNS server.


This was a client side issue (apologies for saying cut down server I
meant server in a hardware sense rather that server/client model). But
yeah bind-dyndb-ldap is installed on my server.



A brute force way would be to do rpm -qa  list on both installs so we 
can compare the two and try to find some important difference.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client-install errors via kickstart

2011-06-27 Thread Adam Young


On 06/27/2011 11:01 AM, Rob Crittenden wrote:

Charlie Derwent wrote:



On Mon, Jun 27, 2011 at 2:07 PM, Adam Young ayo...@redhat.com
mailto:ayo...@redhat.com wrote:

__
On 06/26/2011 08:35 AM, Charlie Derwent wrote:



On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden
rcrit...@redhat.com mailto:rcrit...@redhat.com wrote:

Charlie Derwent wrote:



On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden
rcrit...@redhat.com mailto:rcrit...@redhat.com
mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com
wrote:

   Charlie Derwent wrote:

   Hi

   I'm running FreeIPA server on F14 and connecting to
a F14
   client. When I
   run ipa-client-install (via kickstart or after the
client has
   installed)
   I'm getting the following error message.

   root: DEBUG
   root: ERRORLDAP Error: Connect error:
Start TLS request
   accepted. Server willing to negotiate SSL
   Failed to verify that ipa.test.net
http://ipa.test.net http://ipa.test.net
http://ipa.test.net is an IPA server

   This may mean that the remote server is not up or
is not
   reachable due
   to network or firewall settings


   What version of IPA are you running on the client and
server?

Server is running 2.0.0.rc3-0
F14 Client is running  2.0.0.rc3-0
RHEL 5.6 Clients are running 2.0-10.el5_6.1
All the boxes are 64-bit


How are you invoking ipa-client-install? The error message
looks a bit odd and I'm not sure if it is a mail client
mucking it up or something else (the addition of
http://ipa.test.net)

rob



   Can you check the 389-ds access log to see if you can
see the
   connection and any errors reported with it?

 Nothing in the access.log on the server.




   The ipa server is definately up and running, it's 
still

   authenticating
   other servers in the network and when I rebuild the
client with
   rhel or
   centos it can enroll (almost) without issue (see
below).

   The second issue was this certmonger related bug 
where

   certmonger fails
   to start on new install
   
(https://bugzilla.redhat.com/__show_bug.cgi?id=636894

https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it
   resolved in
   Red Hat 5 as I think i'm expering the issue with my
RH5u6 clients?


   Looks like it wasn't fixed in RHEL 5.x. IIRC the simple
fix is to
   restart messagebus after installing certmonger. Should
be easy to do
   in a kickstart.


yeah got the killall -HUP dbus-daemon in there now.

Cheers
Charlie


   rob




Figured it out! Well partly... it's a dependency issue. I
installed pretty much everything onto the box and it started to
work but on my cut down server no joy. Finding the missing RPM
might be a little bit more trickier unless someone could deduce
what RPM's absence could cause that error?

It's hard cause it may be a dependency for the ipa-client or a
dependency of a dependency and so forth!


If you are doing a DNS install for the server, you need
bind-dyndb-ldap, which is the LDAP backend for the DNS server.


This was a client side issue (apologies for saying cut down server I
meant server in a hardware sense rather that server/client model). But
yeah bind-dyndb-ldap is installed on my server.



A brute force way would be to do rpm -qa  list on both installs so we 
can compare the two and try to find some important difference.


rob


Would the client install log report an error if something was missing?

/var/log/ipaclient-install.log

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client-install errors via kickstart

2011-06-23 Thread Charlie Derwent

On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden rcrit...@redhat.comwrote:

Charlie Derwent wrote:

I'm running FreeIPA server on F14 and connecting to a F14 client. When I
run ipa-client-install (via kickstart or after the client has installed)
I'm getting the following error message.

root: DEBUG
root: ERRORLDAP Error: Connect error: Start TLS request
accepted. Server willing to negotiate SSL
Failed to verify that ipa.test.net http://ipa.test.net is an IPA server

This may mean that the remote server is not up or is not reachable due
to network or firewall settings

What version of IPA are you running on the client and server?

Server is running 2.0.0.rc3-0
F14 Client is running 2.0.0.rc3-0
RHEL 5.6 Clients are running 2.0-10.el5_6.1
All the boxes are 64-bit

Can you check the 389-ds access log to see if you can see the connection and
any errors reported with it?

Nothing in the access.log on the server.

The ipa server is definately up and running, it's still authenticating
other servers in the network and when I rebuild the client with rhel or
centos it can enroll (almost) without issue (see below).

The second issue was this certmonger related bug where certmonger fails
to start on new install
(https://bugzilla.redhat.com/**show_bug.cgi?id=636894https://bugzilla.redhat.com/show_bug.cgi?id=636894)
was it resolved in
Red Hat 5 as I think i'm expering the issue with my RH5u6 clients?

Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to restart
messagebus after installing certmonger. Should be easy to do in a kickstart.

yeah got the killall -HUP dbus-daemon in there now.

Cheers
Charlie

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client-install errors via kickstart

2011-06-23 Thread Rob Crittenden


Charlie Derwent wrote:



On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden rcrit...@redhat.com
mailto:rcrit...@redhat.com wrote:

Charlie Derwent wrote:

Hi

I'm running FreeIPA server on F14 and connecting to a F14
client. When I
run ipa-client-install (via kickstart or after the client has
installed)
I'm getting the following error message.

root: DEBUG
root: ERRORLDAP Error: Connect error: Start TLS request
accepted. Server willing to negotiate SSL
Failed to verify that ipa.test.net http://ipa.test.net
http://ipa.test.net is an IPA server

This may mean that the remote server is not up or is not
reachable due
to network or firewall settings


What version of IPA are you running on the client and server?

Server is running 2.0.0.rc3-0
F14 Client is running  2.0.0.rc3-0
RHEL 5.6 Clients are running 2.0-10.el5_6.1
All the boxes are 64-bit


How are you invoking ipa-client-install? The error message looks a bit 
odd and I'm not sure if it is a mail client mucking it up or something 
else (the addition of http://ipa.test.net)


rob



Can you check the 389-ds access log to see if you can see the
connection and any errors reported with it?

  Nothing in the access.log on the server.




The ipa server is definately up and running, it's still
authenticating
other servers in the network and when I rebuild the client with
rhel or
centos it can enroll (almost) without issue (see below).

The second issue was this certmonger related bug where
certmonger fails
to start on new install
(https://bugzilla.redhat.com/__show_bug.cgi?id=636894
https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it
resolved in
Red Hat 5 as I think i'm expering the issue with my RH5u6 clients?


Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to
restart messagebus after installing certmonger. Should be easy to do
in a kickstart.


yeah got the killall -HUP dbus-daemon in there now.

Cheers
Charlie


rob




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client-install errors via kickstart

2011-06-23 Thread Charlie Derwent

On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden rcrit...@redhat.com wrote:

 Charlie Derwent wrote:



 On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden rcrit...@redhat.com
 mailto:rcrit...@redhat.com wrote:

Charlie Derwent wrote:

Hi

I'm running FreeIPA server on F14 and connecting to a F14
client. When I
run ipa-client-install (via kickstart or after the client has
installed)
I'm getting the following error message.

root: DEBUG
root: ERRORLDAP Error: Connect error: Start TLS request
accepted. Server willing to negotiate SSL
Failed to verify that ipa.test.net http://ipa.test.net
http://ipa.test.net is an IPA server

This may mean that the remote server is not up or is not
reachable due
to network or firewall settings


What version of IPA are you running on the client and server?

 Server is running 2.0.0.rc3-0
 F14 Client is running  2.0.0.rc3-0
 RHEL 5.6 Clients are running 2.0-10.el5_6.1
 All the boxes are 64-bit


 How are you invoking ipa-client-install? The error message looks a bit odd
 and I'm not sure if it is a mail client mucking it up or something else (the
 addition of http://ipa.test.net)

 rob

 Yeah thats a mail client quirk there was only one http://ipa.test.net in
my original email.

I'm getting the same error if I run ipa-client-install with no switches or
ipa-client-install --server=ipa.test.net --domain=test.net
--realm=TEST.NEThttp://test.net/etc... there are other switches I
have in my kickstart scripts but I'm not
at the lab right now so I couldn't tell you what they are, suffice to say
I'm connecting without any issue if I rekick a rhel or centos build on the
exact same server.

The really weird thing is I have an older box I built to F14 a few weeks ago
and that's been connected for weeks with the exact same client rpm, I just
hope I don't have to rebuild it! Is there anyway to check if the
dependencies between the two builds vary?

Charlie



Can you check the 389-ds access log to see if you can see the
connection and any errors reported with it?

  Nothing in the access.log on the server.




The ipa server is definately up and running, it's still
authenticating
other servers in the network and when I rebuild the client with
rhel or
centos it can enroll (almost) without issue (see below).

The second issue was this certmonger related bug where
certmonger fails
to start on new install

 (https://bugzilla.redhat.com/_**_show_bug.cgi?id=636894https://bugzilla.redhat.com/__show_bug.cgi?id=636894

 https://bugzilla.redhat.com/**show_bug.cgi?id=636894https://bugzilla.redhat.com/show_bug.cgi?id=636894)
 was it
resolved in
Red Hat 5 as I think i'm expering the issue with my RH5u6 clients?


Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to
restart messagebus after installing certmonger. Should be easy to do
in a kickstart.


 yeah got the killall -HUP dbus-daemon in there now.

 Cheers
 Charlie


rob




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client-install errors via kickstart

2011-06-22 Thread Steven Jones

Hi,

2.0 or 1.2?

Also ppl who know way more than me always seem to want the logs.

;]

regards

Steven

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Charlie Derwent [shelltoesupers...@gmail.com]
Sent: Wednesday, 22 June 2011 9:44 p.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] ipa-client-install errors via kickstart

Hi

I'm running FreeIPA server on F14 and connecting to a F14 client. When I run 
ipa-client-install (via kickstart or after the client has installed) I'm 
getting the following error message.

root: DEBUG
root: ERRORLDAP Error: Connect error: Start TLS request accepted. 
Server willing to negotiate SSL
Failed to verify that ipa.test.nethttp://ipa.test.net is an IPA server
This may mean that the remote server is not up or is not reachable due to 
network or firewall settings



The ipa server is definately up and running, it's still authenticating other 
servers in the network and when I rebuild the client with rhel or centos it can 
enroll (almost) without issue (see below).

The second issue was this certmonger related bug where  certmonger fails to 
start on new install (https://bugzilla.redhat.com/show_bug.cgi?id=636894) was 
it resolved in Red Hat 5 as I think i'm expering the issue with my RH5u6 
clients?

Thanks
Charlie

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client-install errors via kickstart

2011-06-22 Thread Rob Crittenden


Charlie Derwent wrote:

Hi

I'm running FreeIPA server on F14 and connecting to a F14 client. When I
run ipa-client-install (via kickstart or after the client has installed)
I'm getting the following error message.

root: DEBUG
root: ERRORLDAP Error: Connect error: Start TLS request
accepted. Server willing to negotiate SSL
Failed to verify that ipa.test.net http://ipa.test.net is an IPA server
This may mean that the remote server is not up or is not reachable due
to network or firewall settings


What version of IPA are you running on the client and server?

Can you check the 389-ds access log to see if you can see the connection 
and any errors reported with it?






The ipa server is definately up and running, it's still authenticating
other servers in the network and when I rebuild the client with rhel or
centos it can enroll (almost) without issue (see below).

The second issue was this certmonger related bug where certmonger fails
to start on new install
(https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it resolved in
Red Hat 5 as I think i'm expering the issue with my RH5u6 clients?


Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to 
restart messagebus after installing certmonger. Should be easy to do in 
a kickstart.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

[Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors via kickstart

Re: [Freeipa-users] ipa-client-install errors via kickstart

Re: [Freeipa-users] ipa-client-install errors via kickstart

Re: [Freeipa-users] ipa-client-install errors via kickstart

Re: [Freeipa-users] ipa-client-install errors via kickstart

Re: [Freeipa-users] ipa-client-install errors via kickstart

Re: [Freeipa-users] ipa-client-install errors via kickstart

Re: [Freeipa-users] ipa-client-install errors via kickstart

Re: [Freeipa-users] ipa-client-install errors via kickstart

27 matches

Site Navigation

Mail list logo

Footer information