Gady Notrica wrote:
Please find below the kr5.conf. Still has with original content.[root@prddb1]# ipa-client-install Discovery was successful! ... Continue to configure the system with these values? [no]: yes .... Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Installation failed. Rolling back changes. Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255 Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted .... Client uninstall complete. [root@prddb1]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM [root@prddb1]#
Ok, I agree with the others then, we need to see the full ipaclient-install.log. This file looks fine which means the temporary one that is configured must be bad in some way. The log will tell how.
rob
Gady -----Original Message----- From: Rob Crittenden [mailto:[email protected]] Sent: April 20, 2016 3:14 PM To: Gady Notrica; Martin Basti; [email protected] Subject: Re: [Freeipa-users] ipa-client-install errors Gady Notrica wrote: > Thank you guys for your help. > > Still can't enroll the client. Any suggestion on the errors below? > > /Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library/ What does /etc/krb5.conf look like? > Installation failed. Rolling back changes. > > /Failed to list certificates in /etc/ipa/nssdb: Command > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > exit status 255/ This is unrelated to the enrollment problem. rob > > Disabling client Kerberos and LDAP configurations > > Gady Notrica > > -----Original Message----- > From: [email protected] <mailto:[email protected]> > [mailto:[email protected]] On Behalf Of Gady Notrica > Sent: April 20, 2016 2:12 PM > To: Rob Crittenden; Martin Basti; [email protected] <mailto:[email protected]> > Subject: Re: [Freeipa-users] ipa-client-install errors > > Any specific command in particular to remove that keytab? > > Since these don't work > > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab > Kerberos context initialization failed > > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k > /etc/krb5.keytab Kerberos context initialization failed > > [root@cprddb1 /]# > > Gady > > -----Original Message----- > > From: Rob Crittenden [mailto:[email protected]] > > Sent: April 20, 2016 1:59 PM > > To: Martin Basti; Gady Notrica; [email protected] <mailto:[email protected]> > <mailto:[email protected]> > > Subject: Re: [Freeipa-users] ipa-client-install errors > > Martin Basti wrote: > > > > > > > > > On 20.04.2016 18:00, Gady Notrica wrote: > > >> > > >> Hello World, > > >> > > >> I am having these errors trying to install ipa-client-install. > Every > > >> other machine is fine and they IPA servers are functioning > perfectly > > >> > > >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 > > >> > > >> Kerberos authentication failed: kinit: Improper format of Kerberos > > >> configuration file while initializing Kerberos 5 library > > >> > > >> Then I have "/Installation failed. Rolling back changes."/ > > >> > > >> I have tried everything I know with no luck. Any idea on how to > FIX > > >> this? Below is the full log. > > >> > > >> ----------------------------------------------------------- > > >> > > >> /Continue to configure the system with these values? [no]: yes/ > > >> > > >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ > > >> > > >> /Skipping synchronizing time with NTP server./ > > >> > > >> /User authorized to enroll computers: admin/ > > >> > > >> /Password for [email protected]:/ <mailto:[email protected]:/> > <mailto:[email protected]:/> > > >> > > >> /Please make sure the following ports are opened in the firewall > > >> settings:/ > > >> > > >> /TCP: 80, 88, 389/ > > >> > > >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ > > >> > > >> /Also note that following ports are necessary for ipa-client > working > > >> properly after enrollment:/ > > >> > > >> /TCP: 464/ > > >> > > >> /UDP: 464, 123 (if NTP enabled)/ > > >> > > >> /Kerberos authentication failed: kinit: Improper format of > Kerberos > > >> configuration file while initializing Kerberos 5 library/ > > >> > > >> // > > >> > > >> /Installation failed. Rolling back changes./ > > >> > > >> /Failed to list certificates in /etc/ipa/nssdb: Command > > >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > > >> exit status 255/ > > >> > > >> /Disabling client Kerberos and LDAP configurations/ > > >> > > >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved > to > > >> /etc/sssd/sssd.conf.deleted/ > > >> > > >> /Restoring client configuration files/ > > >> > > >> /nscd daemon is not installed, skip configuration/ > > >> > > >> /nslcd daemon is not installed, skip configuration/ > > >> > > >> /Client uninstall complete./ > > >> > > >> /---------------------------------------------------------------/ > > >> > > >> Gady > > >> > > >> > > >> > > > Hello, > > > > > > IMO you have an old invalid keytab on that machine. Can you > manually > > > remove it and try to reinstall client? (Of course only if you are > sure > > > that keytab there is not needed) > > > > > > The keytab should be located here /etc/krb5.keytab > > That or /etc/krb5.conf is messed up in some way. > > rob > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
