I upgraded our FreeIPA server from Cent7.2 to 7.3 which also upgraded freeipa to 4.4. On some clients they failed to re-authenticate post upgrade. I then did an ipa-client-install —uninstall , and then tried re-joining to IPA server with ipa-client-install --mkhomedir --force-ntpd --force-join.
Now I am getting the below error, and I have no idea how to recover. Firewall is disabled. Thanks, Alan User authorized to enroll computers: admin Password for admin@XXX.LOCAL: Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library Installation failed. Rolling back changes. IPA client is not configured on this system. [root@troll ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Installed Packages ipa-client.x86_64 4.4.0-14.el7.centos @updates ipa-client-common.noarch 4.4.0-14.el7.centos @updates ipa-common.noarch 4.4.0-14.el7.centos @updates -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project