Any specific command in particular to remove that keytab? Since these don't work
[root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab Kerberos context initialization failed [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k /etc/krb5.keytab Kerberos context initialization failed [root@cprddb1 /]# Gady -----Original Message----- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 1:59 PM To: Martin Basti; Gady Notrica; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Martin Basti wrote: > > > On 20.04.2016 18:00, Gady Notrica wrote: >> >> Hello World, >> >> I am having these errors trying to install ipa-client-install. Every >> other machine is fine and they IPA servers are functioning perfectly >> >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 >> >> Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library >> >> Then I have "/Installation failed. Rolling back changes."/ >> >> I have tried everything I know with no luck. Any idea on how to FIX >> this? Below is the full log. >> >> ----------------------------------------------------------- >> >> /Continue to configure the system with these values? [no]: yes/ >> >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ >> >> /Skipping synchronizing time with NTP server./ >> >> /User authorized to enroll computers: admin/ >> >> /Password for ad...@ipa.domain.com:/ >> >> /Please make sure the following ports are opened in the firewall >> settings:/ >> >> /TCP: 80, 88, 389/ >> >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ >> >> /Also note that following ports are necessary for ipa-client working >> properly after enrollment:/ >> >> /TCP: 464/ >> >> /UDP: 464, 123 (if NTP enabled)/ >> >> /Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library/ >> >> // >> >> /Installation failed. Rolling back changes./ >> >> /Failed to list certificates in /etc/ipa/nssdb: Command >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> exit status 255/ >> >> /Disabling client Kerberos and LDAP configurations/ >> >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to >> /etc/sssd/sssd.conf.deleted/ >> >> /Restoring client configuration files/ >> >> /nscd daemon is not installed, skip configuration/ >> >> /nslcd daemon is not installed, skip configuration/ >> >> /Client uninstall complete./ >> >> /---------------------------------------------------------------/ >> >> Gady >> >> >> > Hello, > > IMO you have an old invalid keytab on that machine. Can you manually > remove it and try to reinstall client? (Of course only if you are sure > that keytab there is not needed) > > The keytab should be located here /etc/krb5.keytab That or /etc/krb5.conf is messed up in some way. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project