Sorry for asking the dumb question again. Where are the 389-ds logs? I can't find them in /var/log/ .
On Monday, May 23, 2016 5:10 PM, Rob Crittenden <rcrit...@redhat.com> wrote: Ask Stack wrote: > Rob > Thanks for the reply. > I didn't find anything obvious in /var/log/dirsrv/slapd-/access and > errors and /var/log/krb5kdc.log > Do you know which service is responsible for providing > "/etc/krb5.keytab" to the client? It uses an LDAP extended operation so 389-ds. Any errors would be in the KDC log or, more likely, in the 389-ds logs. rob > > On Monday, May 23, 2016 2:57 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > > > Ask Stack wrote: > > > My company's ipa-client-install fail very often. Debug logs show the > > process always failed at getting the /etc/krb5.keytab . > > Is there a way to modify the script to increase number of attempts to > > create /etc/krb5.keytab ? > > > > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to obtain > > host TGT (defaults to 5)." But it comes after setting up the > > "/etc/krb5.keytab" file. > > Thanks. > > > > server > > ipa-server-3.0.0-47.el6_7.1.x86_64 > > > > cleint > > ipa-client-3.0.0-47.el6_7.2.x86_64 > > ipa-client-3.0.0-50.el6.1.x86_64 > > > > > > #SUCCESSFUL ATTEMPT > > > > </member>\n > > </struct></value>\n > > </data></array></value>\n > > </param>\n > > </params>\n > > </methodResponse>\n > > > > Keytab successfully retrieved and stored in: /etc/krb5.keytab > > Certificate subject base is: O=TEST.COM > > > > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM > > 2016-05-23T14:40:49Z DEBUG args=kdestroy > > 2016-05-23T14:40:49Z DEBUG stdout= > > 2016-05-23T14:40:49Z DEBUG stderr= > > > > > > > > #FAILED ATTEMPT > > > > </member>\n > > </struct></value>\n > > </data></array></value>\n > > </param>\n > > </params>\n > > </methodResponse>\n > > > > ipa-getkeytab: ../../../libraries/libldap/extended.c:177: > > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed. > > Certificate subject base is: O=TEST.COM > > > > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM > > 2016-05-23T14:37:08Z DEBUG args=kdestroy > > 2016-05-23T14:37:08Z DEBUG stdout= > > 2016-05-23T14:37:08Z DEBUG stderr= > > > There is no retry capability and in some cases would be impossible to > add (the one-time password case). Can you check /var/log/krb5kdc on the > IPA master it connected to, and the 389-ds access and errors logs as > well. Perhaps one of those will have more information on why things failed. > > rob > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project