Gady Notrica wrote:
Thank you guys for your help.

Still can't enroll the client. Any suggestion on the errors below?

/Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library/

What does /etc/krb5.conf look like?

Installation failed. Rolling back changes.

/Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
status 255/

This is unrelated to the enrollment problem.

rob


Disabling client Kerberos and LDAP configurations

Gady Notrica

-----Original Message-----
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
Sent: April 20, 2016 2:12 PM
To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

Any specific command in particular to remove that keytab?

Since these don't work

[root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
Kerberos context initialization failed

[root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k
/etc/krb5.keytab Kerberos context initialization failed

[root@cprddb1 /]#

Gady

-----Original Message-----

From: Rob Crittenden [mailto:rcrit...@redhat.com]

Sent: April 20, 2016 1:59 PM

To: Martin Basti; Gady Notrica; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com>

Subject: Re: [Freeipa-users] ipa-client-install errors

Martin Basti wrote:

 >

 >

 > On 20.04.2016 18:00, Gady Notrica wrote:

 >>

 >> Hello World,

 >>

 >> I am having these errors trying to install ipa-client-install. Every

 >> other machine is fine and they IPA servers are functioning perfectly

 >>

 >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

 >>

 >> Kerberos authentication failed: kinit: Improper format of Kerberos

 >> configuration file while initializing Kerberos 5 library

 >>

 >> Then I have "/Installation failed. Rolling back changes."/

 >>

 >> I have tried everything I know with no luck. Any idea on how to FIX

 >> this? Below is the full log.

 >>

 >> -----------------------------------------------------------

 >>

 >> /Continue to configure the system with these values? [no]: yes/

 >>

 >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

 >>

 >> /Skipping synchronizing time with NTP server./

 >>

 >> /User authorized to enroll computers: admin/

 >>

 >> /Password for ad...@ipa.domain.com:/ <mailto:ad...@ipa.domain.com:/>

 >>

 >> /Please make sure the following ports are opened in the firewall

 >> settings:/

 >>

 >> /TCP: 80, 88, 389/

 >>

 >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

 >>

 >> /Also note that following ports are necessary for ipa-client working

 >> properly after enrollment:/

 >>

 >> /TCP: 464/

 >>

 >> /UDP: 464, 123 (if NTP enabled)/

 >>

 >> /Kerberos authentication failed: kinit: Improper format of Kerberos

 >> configuration file while initializing Kerberos 5 library/

 >>

 >> //

 >>

 >> /Installation failed. Rolling back changes./

 >>

 >> /Failed to list certificates in /etc/ipa/nssdb: Command

 >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

 >> exit status 255/

 >>

 >> /Disabling client Kerberos and LDAP configurations/

 >>

 >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to

 >> /etc/sssd/sssd.conf.deleted/

 >>

 >> /Restoring client configuration files/

 >>

 >> /nscd daemon is not installed, skip configuration/

 >>

 >> /nslcd daemon is not installed, skip configuration/

 >>

 >> /Client uninstall complete./

 >>

 >> /---------------------------------------------------------------/

 >>

 >> Gady

 >>

 >>

 >>

 > Hello,

 >

 > IMO you have an old invalid keytab on that machine. Can you manually

 > remove it and try to reinstall client? (Of course only if you are sure

 > that keytab there is not needed)

 >

 > The keytab should be located here /etc/krb5.keytab

That or /etc/krb5.conf is messed up in some way.

rob

--

Manage your subscription for the Freeipa-users mailing list:

https://www.redhat.com/mailman/listinfo/freeipa-users

Go to http://freeipa.org for more info on the project


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to