[Freeipa] [Bug 1693154] Re: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.4.3-3ubuntu2.1

---
freeipa (4.4.3-3ubuntu2.1) zesty; urgency=medium

  * client.dirs: Ship /etc/krb5.conf.d, because not having that breaks
the installer when krb5.conf tries to include it. (LP: #1693154)

 -- Timo Aaltonen   Wed, 14 Jun 2017 13:56:03 +0300

** Changed in: freeipa (Ubuntu Zesty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1693154

Title:
  ipa-client-install fails: kinit: Included profile directory could not
  be read while initializing Kerberos 5 library

Status in freeipa package in Ubuntu:
  Fix Released
Status in freeipa source package in Zesty:
  Fix Released
Status in kerberos-configs package in Debian:
  New

Bug description:
  [Impact]
  ipa-client-install fails because it modifies /etc/krb5.conf to include 
/etc/krb5.conf.d which doesn't exist, so kinit fails.

  The (temporary) fix is to add /etc/krb5.conf.d directory to freeipa-
  client.

  [Test case]
  Enroll an IPA client with ipa-client-install, it should pass.

  [Regression potential]
  None, this is a safe addition.

  
  [original description]
  Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. 
joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with 
a COCKPIT.LAN domain (from the "ipa-*" image on 
https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. 
Running ipa-client-install manually shows why:

  $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd 
sssd-tools packagekit
  $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf

  $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN 
--mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W 
--force-ntpd -w foobarfoo
  Discovery was successful!
  Client hostname: autopkgtest
  Realm: COCKPIT.LAN
  DNS Domain: cockpit.lan
  IPA Server: f0.cockpit.lan
  BaseDN: dc=cockpit,dc=lan

  Synchronizing time with KDC...
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Unable to sync time with NTP server, assuming the time is in sync. Please 
check that 123 UDP port is opened.
  Please make sure the following ports are opened in the firewall settings:
   TCP: 80, 88, 389
   UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
  Also note that following ports are necessary for ipa-client working properly 
after enrollment:
   TCP: 464
   UDP: 464, 123 (if NTP enabled)
  Kerberos authentication failed: kinit: Included profile directory could not 
be read while initializing Kerberos 5 library

  Installation failed. Rolling back changes.
  IPA client is not configured on this system.

  stracing shows that it tries to access /etc/krb5.conf.d/ which does
  not exist. mkdir'ing this is sufficient to fix it.

  I'm not entirely sure if this is really in freeipa-client or krb5-user
  (kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds.

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: freeipa-client 4.4.3-3ubuntu2
  ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
  Uname: Linux 4.10.0-21-generic x86_64
  ApportVersion: 2.20.4-0ubuntu4.1
  Architecture: amd64
  Date: Wed May 24 09:30:57 2017
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1693154/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1693154] Re: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library

[Martin Pitt]

Using the reproduction steps in the description, I re-confirmed that
with the current zesty version joining the domain fails because of that
missing directory. After installing freeipa-{client,common} from
-proposed, joining the domain now succeeds.

** Tags removed: verification-needed-zesty
** Tags added: verification-done-zesty

** Tags removed: verification-needed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1693154

Title:
  ipa-client-install fails: kinit: Included profile directory could not
  be read while initializing Kerberos 5 library

Status in freeipa package in Ubuntu:
  Fix Released
Status in freeipa source package in Zesty:
  Fix Committed
Status in kerberos-configs package in Debian:
  New

Bug description:
  [Impact]
  ipa-client-install fails because it modifies /etc/krb5.conf to include 
/etc/krb5.conf.d which doesn't exist, so kinit fails.

  The (temporary) fix is to add /etc/krb5.conf.d directory to freeipa-
  client.

  [Test case]
  Enroll an IPA client with ipa-client-install, it should pass.

  [Regression potential]
  None, this is a safe addition.

  
  [original description]
  Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. 
joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with 
a COCKPIT.LAN domain (from the "ipa-*" image on 
https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. 
Running ipa-client-install manually shows why:

  $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd 
sssd-tools packagekit
  $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf

  $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN 
--mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W 
--force-ntpd -w foobarfoo
  Discovery was successful!
  Client hostname: autopkgtest
  Realm: COCKPIT.LAN
  DNS Domain: cockpit.lan
  IPA Server: f0.cockpit.lan
  BaseDN: dc=cockpit,dc=lan

  Synchronizing time with KDC...
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Unable to sync time with NTP server, assuming the time is in sync. Please 
check that 123 UDP port is opened.
  Please make sure the following ports are opened in the firewall settings:
   TCP: 80, 88, 389
   UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
  Also note that following ports are necessary for ipa-client working properly 
after enrollment:
   TCP: 464
   UDP: 464, 123 (if NTP enabled)
  Kerberos authentication failed: kinit: Included profile directory could not 
be read while initializing Kerberos 5 library

  Installation failed. Rolling back changes.
  IPA client is not configured on this system.

  stracing shows that it tries to access /etc/krb5.conf.d/ which does
  not exist. mkdir'ing this is sufficient to fix it.

  I'm not entirely sure if this is really in freeipa-client or krb5-user
  (kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds.

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: freeipa-client 4.4.3-3ubuntu2
  ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
  Uname: Linux 4.10.0-21-generic x86_64
  ApportVersion: 2.20.4-0ubuntu4.1
  Architecture: amd64
  Date: Wed May 24 09:30:57 2017
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1693154/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1693154] Re: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library

[Timo Aaltonen]

fixed package uploaded to the queue

** Description changed:

- Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS)
- wrt. joining a FreeIPA kerberos server. I am running a server on
- 10.111.112.100 with a COCKPIT.LAN domain (from the "ipa-*" image on
- https://fedorapeople.org/groups/cockpit/images/), and realmd.service
- fails. Running ipa-client-install manually shows why:
+ [Impact]
+ ipa-client-install fails because it modifies /etc/krb5.conf to include 
/etc/krb5.conf.d which doesn't exist, so kinit fails.
+ 
+ The (temporary) fix is to add /etc/krb5.conf.d directory to freeipa-
+ client.
+ 
+ [Test case]
+ Enroll an IPA client with ipa-client-install, it should pass.
+ 
+ [Regression potential]
+ None, this is a safe addition.
+ 
+ 
+ [original description]
+ Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. 
joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with 
a COCKPIT.LAN domain (from the "ipa-*" image on 
https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. 
Running ipa-client-install manually shows why:
  
  $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd 
sssd-tools packagekit
  $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf
  
  $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN 
--mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W 
--force-ntpd -w foobarfoo
  Discovery was successful!
  Client hostname: autopkgtest
  Realm: COCKPIT.LAN
  DNS Domain: cockpit.lan
  IPA Server: f0.cockpit.lan
  BaseDN: dc=cockpit,dc=lan
  
  Synchronizing time with KDC...
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Unable to sync time with NTP server, assuming the time is in sync. Please 
check that 123 UDP port is opened.
  Please make sure the following ports are opened in the firewall settings:
-  TCP: 80, 88, 389
-  UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
+  TCP: 80, 88, 389
+  UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
  Also note that following ports are necessary for ipa-client working properly 
after enrollment:
-  TCP: 464
-  UDP: 464, 123 (if NTP enabled)
+  TCP: 464
+  UDP: 464, 123 (if NTP enabled)
  Kerberos authentication failed: kinit: Included profile directory could not 
be read while initializing Kerberos 5 library
  
  Installation failed. Rolling back changes.
  IPA client is not configured on this system.
  
- 
- stracing shows that it tries to access /etc/krb5.conf.d/ which does not 
exist. mkdir'ing this is sufficient to fix it.
+ stracing shows that it tries to access /etc/krb5.conf.d/ which does not
+ exist. mkdir'ing this is sufficient to fix it.
  
  I'm not entirely sure if this is really in freeipa-client or krb5-user
  (kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: freeipa-client 4.4.3-3ubuntu2
  ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
  Uname: Linux 4.10.0-21-generic x86_64
  ApportVersion: 2.20.4-0ubuntu4.1
  Architecture: amd64
  Date: Wed May 24 09:30:57 2017
  ProcEnviron:
-  TERM=xterm
-  PATH=(custom, no user)
-  XDG_RUNTIME_DIR=
-  LANG=en_US.UTF-8
-  SHELL=/bin/bash
+  TERM=xterm
+  PATH=(custom, no user)
+  XDG_RUNTIME_DIR=
+  LANG=en_US.UTF-8
+  SHELL=/bin/bash
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

** Changed in: freeipa (Ubuntu Zesty)
   Status: New => In Progress

** Changed in: freeipa (Ubuntu Zesty)
 Assignee: (unassigned) => Timo Aaltonen (tjaalton)

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1693154

Title:
  ipa-client-install fails: kinit: Included profile directory could not
  be read while initializing Kerberos 5 library

Status in freeipa package in Ubuntu:
  Fix Released
Status in freeipa source package in Zesty:
  In Progress
Status in kerberos-configs package in Debian:
  New

Bug description:
  [Impact]
  ipa-client-install fails because it modifies /etc/krb5.conf to include 
/etc/krb5.conf.d which doesn't exist, so kinit fails.

  The (temporary) fix is to add /etc/krb5.conf.d directory to freeipa-
  client.

  [Test case]
  Enroll an IPA client with ipa-client-install, it should pass.

  [Regression potential]
  None, this is a safe addition.

  
  [original description]
  Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. 
joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with 
a COCKPIT.LAN domain (from the "ipa-*" image on 
https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. 
Running ipa-client-install manually shows why:

  $ sudo DEBIAN_FRONTEND=noninteractive apt -y 

[Freeipa] [Bug 1693154] Re: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library

[Martin Pitt]

Splendid, thanks Timo!

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1693154

Title:
  ipa-client-install fails: kinit: Included profile directory could not
  be read while initializing Kerberos 5 library

Status in freeipa package in Ubuntu:
  Fix Released
Status in freeipa source package in Zesty:
  New
Status in kerberos-configs package in Debian:
  New

Bug description:
  Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS)
  wrt. joining a FreeIPA kerberos server. I am running a server on
  10.111.112.100 with a COCKPIT.LAN domain (from the "ipa-*" image on
  https://fedorapeople.org/groups/cockpit/images/), and realmd.service
  fails. Running ipa-client-install manually shows why:

  $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd 
sssd-tools packagekit
  $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf

  $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN 
--mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W 
--force-ntpd -w foobarfoo
  Discovery was successful!
  Client hostname: autopkgtest
  Realm: COCKPIT.LAN
  DNS Domain: cockpit.lan
  IPA Server: f0.cockpit.lan
  BaseDN: dc=cockpit,dc=lan

  Synchronizing time with KDC...
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Unable to sync time with NTP server, assuming the time is in sync. Please 
check that 123 UDP port is opened.
  Please make sure the following ports are opened in the firewall settings:
   TCP: 80, 88, 389
   UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
  Also note that following ports are necessary for ipa-client working properly 
after enrollment:
   TCP: 464
   UDP: 464, 123 (if NTP enabled)
  Kerberos authentication failed: kinit: Included profile directory could not 
be read while initializing Kerberos 5 library

  Installation failed. Rolling back changes.
  IPA client is not configured on this system.

  
  stracing shows that it tries to access /etc/krb5.conf.d/ which does not 
exist. mkdir'ing this is sufficient to fix it.

  I'm not entirely sure if this is really in freeipa-client or krb5-user
  (kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds.

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: freeipa-client 4.4.3-3ubuntu2
  ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
  Uname: Linux 4.10.0-21-generic x86_64
  ApportVersion: 2.20.4-0ubuntu4.1
  Architecture: amd64
  Date: Wed May 24 09:30:57 2017
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1693154/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1693154] Re: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library

[Bug Watch Updater]

** Changed in: kerberos-configs (Debian)
   Status: Unknown => New

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1693154

Title:
  ipa-client-install fails: kinit: Included profile directory could not
  be read while initializing Kerberos 5 library

Status in freeipa package in Ubuntu:
  Fix Released
Status in freeipa source package in Zesty:
  New
Status in kerberos-configs package in Debian:
  New

Bug description:
  Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS)
  wrt. joining a FreeIPA kerberos server. I am running a server on
  10.111.112.100 with a COCKPIT.LAN domain (from the "ipa-*" image on
  https://fedorapeople.org/groups/cockpit/images/), and realmd.service
  fails. Running ipa-client-install manually shows why:

  $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd 
sssd-tools packagekit
  $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf

  $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN 
--mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W 
--force-ntpd -w foobarfoo
  Discovery was successful!
  Client hostname: autopkgtest
  Realm: COCKPIT.LAN
  DNS Domain: cockpit.lan
  IPA Server: f0.cockpit.lan
  BaseDN: dc=cockpit,dc=lan

  Synchronizing time with KDC...
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Unable to sync time with NTP server, assuming the time is in sync. Please 
check that 123 UDP port is opened.
  Please make sure the following ports are opened in the firewall settings:
   TCP: 80, 88, 389
   UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
  Also note that following ports are necessary for ipa-client working properly 
after enrollment:
   TCP: 464
   UDP: 464, 123 (if NTP enabled)
  Kerberos authentication failed: kinit: Included profile directory could not 
be read while initializing Kerberos 5 library

  Installation failed. Rolling back changes.
  IPA client is not configured on this system.

  
  stracing shows that it tries to access /etc/krb5.conf.d/ which does not 
exist. mkdir'ing this is sufficient to fix it.

  I'm not entirely sure if this is really in freeipa-client or krb5-user
  (kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds.

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: freeipa-client 4.4.3-3ubuntu2
  ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
  Uname: Linux 4.10.0-21-generic x86_64
  ApportVersion: 2.20.4-0ubuntu4.1
  Architecture: amd64
  Date: Wed May 24 09:30:57 2017
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1693154/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1693154] Re: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library

[Timo Aaltonen]

the client install creates /etc/krb5.conf with "includedir
/etc/krb5.conf.d/"

while creating that directory should be done by krb5-config, it was
fixed in sid/artful by freeipa-client 4.4.4-1. mit-krb5 will add the
directory after stretch is released

SRU for zesty would be in order, though


** Changed in: freeipa (Ubuntu)
   Status: New => Fix Released

** Also affects: freeipa (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Bug watch added: Debian Bug tracker #858970
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858970

** Also affects: kerberos-configs (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858970
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1693154

Title:
  ipa-client-install fails: kinit: Included profile directory could not
  be read while initializing Kerberos 5 library

Status in freeipa package in Ubuntu:
  Fix Released
Status in freeipa source package in Zesty:
  New
Status in kerberos-configs package in Debian:
  Unknown

Bug description:
  Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS)
  wrt. joining a FreeIPA kerberos server. I am running a server on
  10.111.112.100 with a COCKPIT.LAN domain (from the "ipa-*" image on
  https://fedorapeople.org/groups/cockpit/images/), and realmd.service
  fails. Running ipa-client-install manually shows why:

  $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd 
sssd-tools packagekit
  $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf

  $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN 
--mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W 
--force-ntpd -w foobarfoo
  Discovery was successful!
  Client hostname: autopkgtest
  Realm: COCKPIT.LAN
  DNS Domain: cockpit.lan
  IPA Server: f0.cockpit.lan
  BaseDN: dc=cockpit,dc=lan

  Synchronizing time with KDC...
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Unable to sync time with NTP server, assuming the time is in sync. Please 
check that 123 UDP port is opened.
  Please make sure the following ports are opened in the firewall settings:
   TCP: 80, 88, 389
   UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
  Also note that following ports are necessary for ipa-client working properly 
after enrollment:
   TCP: 464
   UDP: 464, 123 (if NTP enabled)
  Kerberos authentication failed: kinit: Included profile directory could not 
be read while initializing Kerberos 5 library

  Installation failed. Rolling back changes.
  IPA client is not configured on this system.

  
  stracing shows that it tries to access /etc/krb5.conf.d/ which does not 
exist. mkdir'ing this is sufficient to fix it.

  I'm not entirely sure if this is really in freeipa-client or krb5-user
  (kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds.

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: freeipa-client 4.4.3-3ubuntu2
  ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
  Uname: Linux 4.10.0-21-generic x86_64
  ApportVersion: 2.20.4-0ubuntu4.1
  Architecture: amd64
  Date: Wed May 24 09:30:57 2017
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1693154/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp