Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

2017-01-04 Thread Rob Crittenden
Alan Latteri wrote: > Well on new installs of Cent 7.2, when I do `yum install ipa-client`, that is > the version provided. > Unfortunately, most of our systems have to be on Cent 7.2, not 7.3, and it is > out of our control. Either way it's a bug somewhere in ipa-client, it should require a

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

2017-01-04 Thread Lukas Slebodnik
On (03/01/17 20:35), Alan Latteri wrote: >Well on new installs of Cent 7.2, when I do `yum install ipa-client`, that is >the version provided. >Unfortunately, most of our systems have to be on Cent 7.2, not 7.3, and it is >out of our control. > You will install el7.3 on CentOS 7.2 by default. If

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

2017-01-03 Thread Alan Latteri
Well on new installs of Cent 7.2, when I do `yum install ipa-client`, that is the version provided. Unfortunately, most of our systems have to be on Cent 7.2, not 7.3, and it is out of our control. Alan > On Jan 3, 2017, at 8:33 PM, Rob Crittenden wrote: > > Alan Latteri

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

2017-01-03 Thread Alan Latteri
Further investigation. On a clean install of CentOS 7.2 with IPA Client 4.4, /etc/krb5.conf.d/ is missing, and therefore initial setup will fail unless manual creation of /etc/krb5.conf.d/ Maybe the install script for the client can be updated to check for and create? Thanks, Alan > On Jan 3,

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

2017-01-03 Thread Alan Latteri
Thanks Rob. /etc/krb5.conf.d/ was in fact missing from the client, which is still on CentOS 7.2 for reasons out of our control. Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have the /etc/krb5.conf.d/ directory, but are running fine. So maybe the 4.4 client requires

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

2017-01-03 Thread Rob Crittenden
Alan Latteri wrote: > Log is attached. Look and see if /etc/krb5.conf.d/ and /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check for SELinux AVCs). I'm pretty sure this all runs as root so I doubt filesystem perms are an issue but who knows. You can also brute force things

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

2017-01-03 Thread Martin Babinsky
On 01/02/2017 11:22 PM, Alan Latteri wrote: I upgraded our FreeIPA server from Cent7.2 to 7.3 which also upgraded freeipa to 4.4. On some clients they failed to re-authenticate post upgrade. I then did an ipa-client-install —uninstall , and then tried re-joining to IPA server with