My reply with the log output is pending moderator approval.


On 1/16/18 1:11 PM, Rob Crittenden wrote:
> Robbie Harwood via FreeIPA-users wrote:
>> Chris Moody via FreeIPA-users <>
>> writes:
>>> 2018-01-15T21:55:24Z INFO Configured /etc/krb5.conf for IPA realm
>>> 2018-01-15T21:55:24Z DEBUG Starting external process
>>> 2018-01-15T21:55:24Z DEBUG args=keyctl search @s user
>>> ipa_session_cookie:host/
>>> 2018-01-15T21:55:24Z DEBUG Process finished, return code=1
>>> 2018-01-15T21:55:24Z DEBUG stdout=
>>> 2018-01-15T21:55:24Z DEBUG stderr=keyctl_search: Required key not available
>> I'm not familiar with what IPA's trying to do here, but this looks like
>> a problem?  Can someone else comment?
> This is perfectly normal. IPA stores the session cookie in the kernel
> keyring. Given this is a new install there is no cookie to find.
>>> I have tried manually setting /etc/krb5.conf to the contents that get>
>>> generated & display during the verbose client-install process (as seen
>>> above), that manually spell out the KDC details, and am able to run a
>>> 'kinit admin' just fine from the CLI on the client, so kerberos DOES
>>> function from the client.  It talks to the KDC beautifully and
>>> authenticates just fine... so I'm not sure how the client-install
>>> process is getting confused/lost when trying to find/contact the KDC.
>> Someone else who knows more than me: how is the install different than a
>> normal kinit?
> I think we'd need to see the full ipaclient-install.log.
> rob

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to