Ask Stack wrote:
My company's ipa-client-install fail very often. Debug logs show the
process always failed at getting the /etc/krb5.keytab .
Is there a way to modify the script to increase number of attempts to
create /etc/krb5.keytab ?

I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to obtain
host TGT (defaults to 5)." But it comes after setting up the
"/etc/krb5.keytab" file.





Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=TEST.COM

2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM
2016-05-23T14:40:49Z DEBUG args=kdestroy
2016-05-23T14:40:49Z DEBUG stdout=
2016-05-23T14:40:49Z DEBUG stderr=



ipa-getkeytab: ../../../libraries/libldap/extended.c:177:
ldap_parse_extended_result: Assertion `res != ((void *)0)' failed.
Certificate subject base is: O=TEST.COM

2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM
2016-05-23T14:37:08Z DEBUG args=kdestroy
2016-05-23T14:37:08Z DEBUG stdout=
2016-05-23T14:37:08Z DEBUG stderr=

There is no retry capability and in some cases would be impossible to add (the one-time password case). Can you check /var/log/krb5kdc on the IPA master it connected to, and the 389-ds access and errors logs as well. Perhaps one of those will have more information on why things failed.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to