Alan Latteri wrote: > Well on new installs of Cent 7.2, when I do `yum install ipa-client`, that is > the version provided. > Unfortunately, most of our systems have to be on Cent 7.2, not 7.3, and it is > out of our control.
Either way it's a bug somewhere in ipa-client, it should require a minimum version of krb5-libs which provides this file (or explicitly check for existence of this directory). I opened a ticket on it, https://fedorahosted.org/freeipa/ticket/6589 rob > > Alan > >> On Jan 3, 2017, at 8:33 PM, Rob Crittenden <[email protected]> wrote: >> >> Alan Latteri wrote: >>> Further investigation. >>> >>> On a clean install of CentOS 7.2 with IPA Client 4.4, /etc/krb5.conf.d/ is >>> missing, and therefore initial setup will fail unless manual creation of >>> /etc/krb5.conf.d/ >>> Maybe the install script for the client can be updated to check for and >>> create? >> >> Is there a reason you're running 7.3 packages on a 7.2 system? I suspect >> that is the problem. AFAIU in 7.3 this directory is provided by krb5-libs. >> >> Is there some feature you need in the 4.4 client installer on 7.2? >> >> rob >> >>> >>> Thanks, >>> Alan >>> >>>> On Jan 3, 2017, at 1:44 PM, Alan Latteri <[email protected]> >>>> wrote: >>>> >>>> Thanks Rob. >>>> >>>> /etc/krb5.conf.d/ was in fact missing from the client, which is still on >>>> CentOS 7.2 for reasons out of our control. >>>> Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have >>>> the /etc/krb5.conf.d/ directory, but are running fine. So maybe the 4.4 >>>> client requires that dir but is not making it on upgrade and the cause of >>>> the failure? >>>> >>>> Alan >>>> >>>>> On Jan 3, 2017, at 1:25 PM, Rob Crittenden <[email protected]> wrote: >>>>> >>>>> Alan Latteri wrote: >>>>>> Log is attached. >>>>> >>>>> Look and see if /etc/krb5.conf.d/ and >>>>> /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check >>>>> for SELinux AVCs). I'm pretty sure this all runs as root so I doubt >>>>> filesystem perms are an issue but who knows. >>>>> >>>>> You can also brute force things using strace -f to find out exactly what >>>>> can't be read. >>>>> >>>>> rob >>>>> >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
