subject:"\[Freeipa\-users\] Client enrolled but failed to obtain host TGT."

Re: [Freeipa-users] Client enrolled but failed to obtain host TGT.

2016-04-22 Thread Ask Stack

MartinThanks for the reply.
tail -f /var/log/krb5kdc.log | grep client1.example.com  had nothing during a 
failed ipa client install and plenty activities during a good install. 
And sorry, I missed a big piece of information. Debug log showed ipa-getkeytab: 
../../../libraries/libldap/extended.c:177: ldap_parse_extended_result: 
Assertion `res != ((void *)0)' failed.
Basically /etc/krb5.keytab didn't get created. 
I always wonder why we needed "-ca-cert-file=/etc/ipa/ca.crt", so I ran the 
ipa-client-install without it. I tested install twenty times and no failure. 
ca.crt I provide and ipa-client-install downloaded are identical.  

On Friday, April 22, 2016 3:09 AM, Martin Babinsky  
wrote:
 

 On 04/21/2016 11:14 PM, Ask Stack wrote:
> Half the time ipa-client-install will fail at getting the TGT.  Google
> showed posts like, Bug 845691 – ipa-client-install Failed to obtain host
> TGT . I reduced
> _kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp'
> '_kerberos._udp' to one server entry only. But it didn't help to reduce
> the failure rate. Thanks for your help.
>
>
> cleint
> ipa-client-3.0.0-47.el6_7.2.x86_64
>
> server
> ipa-server-3.0.0-47.el6_7.1.x86_64
>
> ipa-client-install --hostname=client1.example.com
> --server=ipa-server.example.com --domain=example.com -N --mkhomedir
> --unattended -p ipa...@example.com -w 'password1'
> --ca-cert-file=/etc/ipa/ca.crt -d
> ...
> ...
> Enrolled in IPA realm EXAMPLE.COM
> args=kdestroy
> stdout=
> stderr=
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example@example.com
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example@example.com
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example@example.com
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example@example.com
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example@example.com
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> Failed to obtain host TGT.
>
>
>
>
>
>
Hello,

can you please provide KDC log from the server you are enrolling 
against? IIRC it should be in /var/log/krb5kdc.log

-- 
Martin^3 Babinsky


  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Client enrolled but failed to obtain host TGT.

2016-04-22 Thread Martin Babinsky


On 04/21/2016 11:14 PM, Ask Stack wrote:

Half the time ipa-client-install will fail at getting the TGT.  Google
showed posts like, Bug 845691 – ipa-client-install Failed to obtain host
TGT . I reduced
_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp'
'_kerberos._udp' to one server entry only. But it didn't help to reduce
the failure rate. Thanks for your help.


cleint
ipa-client-3.0.0-47.el6_7.2.x86_64

server
ipa-server-3.0.0-47.el6_7.1.x86_64

ipa-client-install --hostname=client1.example.com
--server=ipa-server.example.com --domain=example.com -N --mkhomedir
--unattended -p ipa...@example.com -w 'password1'
--ca-cert-file=/etc/ipa/ca.crt -d
...
...
Enrolled in IPA realm EXAMPLE.COM
args=kdestroy
stdout=
stderr=
args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/client1.example@example.com
stdout=
stderr=kinit: Generic preauthentication failure while getting initial
credentials

args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/client1.example@example.com
stdout=
stderr=kinit: Generic preauthentication failure while getting initial
credentials

args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/client1.example@example.com
stdout=
stderr=kinit: Generic preauthentication failure while getting initial
credentials

args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/client1.example@example.com
stdout=
stderr=kinit: Generic preauthentication failure while getting initial
credentials

args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/client1.example@example.com
stdout=
stderr=kinit: Generic preauthentication failure while getting initial
credentials

Failed to obtain host TGT.







Hello,

can you please provide KDC log from the server you are enrolling 
against? IIRC it should be in /var/log/krb5kdc.log


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Client enrolled but failed to obtain host TGT.

2016-04-21 Thread Ask Stack

Half the time ipa-client-install will fail at getting the TGT.  Google showed 
posts like, Bug 845691 – ipa-client-install Failed to obtain host TGT. I 
reduced _kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' 
'_kerberos._udp' to one server entry only. But it didn't help to reduce the 
failure rate. Thanks for your help.

cleintipa-client-3.0.0-47.el6_7.2.x86_64

serveripa-server-3.0.0-47.el6_7.1.x86_64

ipa-client-install --hostname=client1.example.com 
--server=ipa-server.example.com --domain=example.com -N --mkhomedir 
--unattended -p ipa...@example.com -w 'password1' 
--ca-cert-file=/etc/ipa/ca.crt -d..Enrolled in IPA realm 
EXAMPLE.COMargs=kdestroystdout=stderr=args=/usr/bin/kinit -k -t 
/etc/krb5.keytab host/client1.example.com@EXAMPLE.COMstdout=stderr=kinit: 
Generic preauthentication failure while getting initial credentials
args=/usr/bin/kinit -k -t /etc/krb5.keytab 
host/client1.example.com@EXAMPLE.COMstdout=stderr=kinit: Generic 
preauthentication failure while getting initial credentials
args=/usr/bin/kinit -k -t /etc/krb5.keytab 
host/client1.example.com@EXAMPLE.COMstdout=stderr=kinit: Generic 
preauthentication failure while getting initial credentials
args=/usr/bin/kinit -k -t /etc/krb5.keytab 
host/client1.example.com@EXAMPLE.COMstdout=stderr=kinit: Generic 
preauthentication failure while getting initial credentials
args=/usr/bin/kinit -k -t /etc/krb5.keytab 
host/client1.example.com@EXAMPLE.COMstdout=stderr=kinit: Generic 
preauthentication failure while getting initial credentials
Failed to obtain host TGT.



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Client enrolled but failed to obtain host TGT.

Re: [Freeipa-users] Client enrolled but failed to obtain host TGT.

[Freeipa-users] Client enrolled but failed to obtain host TGT.

3 matches

Site Navigation

Mail list logo

Footer information