On 02/10/14 15:36, Hatim Diab wrote:
Hi All,

I have a new installation of freeipa

ipa-server-3.0.0-37.el6.x86_64
on CentOS 6.5

one of my clients stopped authentication last night, I performed a 
ipa-client-install —uninstall from the client then on trying to delete the the 
host

# ipa host-del client.x.y.z
ipa: ERROR: Certificate format error: [Errno -5925] error (-5925) unknown

/var/log/krb5kdc.log
Oct 02 10:27:07 <server> krb5kdc[30623](info): TGS_REQ (4 etypes {18 17 16 23}) <server_IP>: ISSUE: 
authtime 1412221207, etypes {rep=18 tkt=18 ses=18}, HTTP/<server>@<realm> for 
ldap/<server>@<realm>
Oct 02 10:27:07 <server> krb5kdc[30623](info): ... CONSTRAINED-DELEGATION 
s4u-client=admin@<realm>

trying to add back the client
[root@client ~]# ipa-client-install --domain=<doamin> --server=<server>
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always 
access the discovered server for all operations and will not fail over to other 
servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Hostname: <server>
Realm: <realm>
DNS Domain: <domain>
IPA Server: <server>
BaseDN: dc=<baseDN>

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@<realm>:
Successfully retrieved CA cert
     Subject:     CN=Certificate Authority,O=<realm>
     Issuer:      CN=Certificate Authority,O=<realm>
     Valid From:  Sun Sep 21 20:42:12 2014 UTC
     Valid Until: Thu Sep 21 20:42:12 2034 UTC

Joining realm failed: RPC failed at server.  Certificate format error: [Errno 
-5925] error (-5925) unknown

Installation failed. Rolling back changes.
IPA client is not configured on this system.

Cheers,
Tim



It could be related to this bug - https://bugzilla.redhat.com/show_bug.cgi?id=738456 as I ran into an issue where I was getting an "error (-5925)", downgrading nss fixed it for me.

Unless error 5925 applies to many things, in which case ignore me. :)

--
Craig Parker
Senior Systems Administrator | Paragon Internet Group

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to