Re: [Freeipa-users] ipa-client-install errors

[Rob Crittenden]

Ok, Gady sent the complete file out-of-band and the temporary krb5.conf 
the client installer creates looks ok. It does include files from 
/var/lib/sss/pubconf/krb5.include.d/. Can you see if there are any files 
in there and if so, what the contents are?


BTW, what distro and release of ipa-client is this?

thanks

rob

Rob Crittenden wrote:

Gady Notrica wrote:

Please find below the kr5.conf. Still has with original content.

[root@prddb1]# ipa-client-install

Discovery was successful!

...

Continue to configure the system with these values? [no]: yes



Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library

Installation failed. Rolling back changes.

Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
status 255

Disabling client Kerberos and LDAP configurations

Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted



Client uninstall complete.

[root@prddb1]# cat /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

dns_lookup_realm = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false

# default_realm = EXAMPLE.COM

default_ccache_name = KEYRING:persistent:%{uid}

[realms]

# EXAMPLE.COM = {

#  kdc = kerberos.example.com

#  admin_server = kerberos.example.com

# }

[domain_realm]

# .example.com = EXAMPLE.COM

# example.com = EXAMPLE.COM

[root@prddb1]#


Ok, I agree with the others then, we need to see the full
ipaclient-install.log. This file looks fine which means the temporary
one that is configured must be bad in some way. The log will tell how.

rob



Gady

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 3:14 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

Gady Notrica wrote:

 > Thank you guys for your help.

 >

 > Still can't enroll the client. Any suggestion on the errors below?

 >

 > /Kerberos authentication failed: kinit: Improper format of Kerberos

 > configuration file while initializing Kerberos 5 library/

What does /etc/krb5.conf look like?

 > Installation failed. Rolling back changes.

 >

 > /Failed to list certificates in /etc/ipa/nssdb: Command

 > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

 > exit status 255/

This is unrelated to the enrollment problem.

rob

 >

 > Disabling client Kerberos and LDAP configurations

 >

 > Gady Notrica

 >

 > -Original Message-

 > From: freeipa-users-boun...@redhat.com


 > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica

 > Sent: April 20, 2016 2:12 PM

 > To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com


 > Subject: Re: [Freeipa-users] ipa-client-install errors

 >

 > Any specific command in particular to remove that keytab?

 >

 > Since these don't work

 >

 > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab

 > Kerberos context initialization failed

 >

 > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k

 > /etc/krb5.keytab Kerberos context initialization failed

 >

 > [root@cprddb1 /]#

 >

 > Gady

 >

 > -Original Message-

 >

 > From: Rob Crittenden [mailto:rcrit...@redhat.com]

 >

 > Sent: April 20, 2016 1:59 PM

 >

 > To: Martin Basti; Gady Notrica; freeipa-users@redhat.com


 > 

 >

 > Subject: Re: [Freeipa-users] ipa-client-install errors

 >

 > Martin Basti wrote:

 >

 >  >

 >

 >  >

 >

 >  > On 20.04.2016 18:00, Gady Notrica wrote:

 >

 >  >>

 >

 >  >> Hello World,

 >

 >  >>

 >

 >  >> I am having these errors trying to install ipa-client-install.

 > Every

 >

 >  >> other machine is fine and they IPA servers are functioning

 > perfectly

 >

 >  >>

 >

 >  >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

 >

 >  >>

 >

 >  >> Kerberos authentication failed: kinit: Improper format of Kerberos

 >

 >  >> configuration file while initializing Kerberos 5 library

 >

 >  >>

 >

 >  >> Then I have "/Installation failed. Rolling back changes."/

 >

 >  >>

 >

 >  >> I have tried everything I know with no luck. Any idea on how to

 > FIX

 >

 >  >> this? Below is the full log.

 >

 >  >>

 >

 >  >> ---

 >

 >  >>

 >

 >  >> /Continue to configure the system with these values? [no]: yes/

 >

 >  >>

 >

 >  >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

 >

 >  >>

 >

 >  >> /Skipping synchronizing time with NTP server./

 >

 >  >>

 >

 >  >> /User authorized to enroll computers: admin/

 >

 >  >>

 >

 >  >> 

Re: [Freeipa-users] ipa-client-install errors

[Gady Notrica]

[root@cd-s-prd-db1 krb5.include.d]# ls -l

-rw-r--r--. 1 root root 224 Apr  9 07:24 domain_realm_ipa_candeal_ca

-rw-r--r--. 1 root root 118 Apr  9 07:24 localauth_plugin



[root@cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca

# Generated by NetworkManager

search ipa.candeal.ca

nameserver 172.20.10.40

nameserver 172.20.10.41



[root@cd-s-prd-db1 krb5.include.d]# cat localauth_plugin

[domain_realm]

.AD.candeal.ca = AD.CANDEAL.CA

AD.candeal.ca = AD.CANDEAL.CA

[capaths]



[root@cd-s-prd-db1 krb5.include.d]# uname -a

Linux cd-s-prd-db1.ipa.candeal.ca 3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31 
16:04:38 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux



It's Centos 7.



Gady



-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 4:04 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors



Ok, Gady sent the complete file out-of-band and the temporary krb5.conf the 
client installer creates looks ok. It does include files from 
/var/lib/sss/pubconf/krb5.include.d/. Can you see if there are any files in 
there and if so, what the contents are?



BTW, what distro and release of ipa-client is this?



thanks



rob



Rob Crittenden wrote:

> Gady Notrica wrote:

>> Please find below the kr5.conf. Still has with original content.

>>

>> [root@prddb1]# ipa-client-install

>>

>> Discovery was successful!

>>

>> ...

>>

>> Continue to configure the system with these values? [no]: yes

>>

>> 

>>

>> Kerberos authentication failed: kinit: Improper format of Kerberos

>> configuration file while initializing Kerberos 5 library

>>

>> Installation failed. Rolling back changes.

>>

>> Failed to list certificates in /etc/ipa/nssdb: Command

>> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

>> exit status 255

>>

>> Disabling client Kerberos and LDAP configurations

>>

>> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to

>> /etc/sssd/sssd.conf.deleted

>>

>> 

>>

>> Client uninstall complete.

>>

>> [root@prddb1]# cat /etc/krb5.conf

>>

>> [logging]

>>

>> default = FILE:/var/log/krb5libs.log

>>

>> kdc = FILE:/var/log/krb5kdc.log

>>

>> admin_server = FILE:/var/log/kadmind.log

>>

>> [libdefaults]

>>

>> dns_lookup_realm = false

>>

>> ticket_lifetime = 24h

>>

>> renew_lifetime = 7d

>>

>> forwardable = true

>>

>> rdns = false

>>

>> # default_realm = EXAMPLE.COM

>>

>> default_ccache_name = KEYRING:persistent:%{uid}

>>

>> [realms]

>>

>> # EXAMPLE.COM = {

>>

>> #  kdc = kerberos.example.com

>>

>> #  admin_server = kerberos.example.com

>>

>> # }

>>

>> [domain_realm]

>>

>> # .example.com = EXAMPLE.COM

>>

>> # example.com = EXAMPLE.COM

>>

>> [root@prddb1]#

>

> Ok, I agree with the others then, we need to see the full

> ipaclient-install.log. This file looks fine which means the temporary

> one that is configured must be bad in some way. The log will tell how.

>

> rob

>

>>

>> Gady

>>

>> -Original Message-

>> From: Rob Crittenden [mailto:rcrit...@redhat.com]

>> Sent: April 20, 2016 3:14 PM

>> To: Gady Notrica; Martin Basti; 
>> freeipa-users@redhat.com

>> Subject: Re: [Freeipa-users] ipa-client-install errors

>>

>> Gady Notrica wrote:

>>

>>  > Thank you guys for your help.

>>

>>  >

>>

>>  > Still can't enroll the client. Any suggestion on the errors below?

>>

>>  >

>>

>>  > /Kerberos authentication failed: kinit: Improper format of

>> Kerberos

>>

>>  > configuration file while initializing Kerberos 5 library/

>>

>> What does /etc/krb5.conf look like?

>>

>>  > Installation failed. Rolling back changes.

>>

>>  >

>>

>>  > /Failed to list certificates in /etc/ipa/nssdb: Command

>>

>>  > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

>>

>>  > exit status 255/

>>

>> This is unrelated to the enrollment problem.

>>

>> rob

>>

>>  >

>>

>>  > Disabling client Kerberos and LDAP configurations

>>

>>  >

>>

>>  > Gady Notrica

>>

>>  >

>>

>>  > -Original Message-

>>

>>  > From: 
>> freeipa-users-boun...@redhat.com

>> 

>>

>>  > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady

>> Notrica

>>

>>  > Sent: April 20, 2016 2:12 PM

>>

>>  > To: Rob Crittenden; Martin Basti; 
>> freeipa-users@redhat.com

>> 

>>

>>  > Subject: Re: [Freeipa-users] ipa-client-install errors

>>

>>  >

>>

>>  > Any specific command in particular to remove that keytab?

>>

>>  >

>>

>>  > Since these don't work

>>

>>  >

>>

>>  > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab

>>

>>  > Kerberos context initialization failed

>>

>>  >

>>

>>  > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k

>>

>>  > /etc/krb5.keytab 

Re: [Freeipa-users] ipa-client-install errors

[Lukas Slebodnik]

On (20/04/16 20:10), Gady Notrica wrote:
>[root@cd-s-prd-db1 krb5.include.d]# ls -l
>
>-rw-r--r--. 1 root root 224 Apr  9 07:24 domain_realm_ipa_candeal_ca
>
>-rw-r--r--. 1 root root 118 Apr  9 07:24 localauth_plugin
>
>
>
>[root@cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca
>
># Generated by NetworkManager
>
>search ipa.candeal.ca
>
>nameserver 172.20.10.40
>
>nameserver 172.20.10.41
This should be content of /etc/resolv.conf and not domain_realm_ipa_candeal_ca

>
>
>
>[root@cd-s-prd-db1 krb5.include.d]# cat localauth_plugin
>
>[domain_realm]
>
>.AD.candeal.ca = AD.CANDEAL.CA
>
>AD.candeal.ca = AD.CANDEAL.CA
>
>[capaths]
>
This should be content of domain_realm_ipa_candeal_ca and not localauth_plugin

Remove both files. It is safe. They will be created by sssd
after start.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

[Gady Notrica]

You guys are awesome



# ipa-client-install --enable-dns-updates --mkhomedir --no-ntp

Discovery was successful!

…



Continue to configure the system with these values? [no]: yes

…

Created /etc/ipa/default.conf

New SSSD config will be created

Configured sudoers in /etc/nsswitch.conf

Configured /etc/sssd/sssd.conf

….

Systemwide CA database updated.

Added CA certificates to the default NSS database.

…

Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub

….

SSSD enabled

Configured /etc/openldap/ldap.conf

Configured /etc/ssh/ssh_config

Configured /etc/ssh/sshd_config

Configuring ipa.candeal.ca as NIS domain.

Client configuration complete.



Gady



-Original Message-
From: Lukas Slebodnik [mailto:lsleb...@redhat.com]
Sent: April 20, 2016 4:16 PM
To: Gady Notrica
Cc: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors



On (20/04/16 20:10), Gady Notrica wrote:

>[root@cd-s-prd-db1 krb5.include.d]# ls -l

>

>-rw-r--r--. 1 root root 224 Apr  9 07:24 domain_realm_ipa_candeal_ca

>

>-rw-r--r--. 1 root root 118 Apr  9 07:24 localauth_plugin

>

>

>

>[root@cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca

>

># Generated by NetworkManager

>

>search ipa.candeal.ca

>

>nameserver 172.20.10.40

>

>nameserver 172.20.10.41

This should be content of /etc/resolv.conf and not domain_realm_ipa_candeal_ca



>

>

>

>[root@cd-s-prd-db1 krb5.include.d]# cat localauth_plugin

>

>[domain_realm]

>

>.AD.candeal.ca = AD.CANDEAL.CA

>

>AD.candeal.ca = AD.CANDEAL.CA

>

>[capaths]

>

This should be content of domain_realm_ipa_candeal_ca and not localauth_plugin



Remove both files. It is safe. They will be created by sssd after start.



LS
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

[Gady Notrica]

Please find below the kr5.conf. Still has with original content.



[root@prddb1]# ipa-client-install

Discovery was successful!

...

Continue to configure the system with these values? [no]: yes



Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library



Installation failed. Rolling back changes.

Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' 
'-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255

Disabling client Kerberos and LDAP configurations

Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
/etc/sssd/sssd.conf.deleted



Client uninstall complete.



[root@prddb1]# cat /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log



[libdefaults]

dns_lookup_realm = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false

# default_realm = EXAMPLE.COM

default_ccache_name = KEYRING:persistent:%{uid}



[realms]

# EXAMPLE.COM = {

#  kdc = kerberos.example.com

#  admin_server = kerberos.example.com

# }



[domain_realm]

# .example.com = EXAMPLE.COM

# example.com = EXAMPLE.COM

[root@prddb1]#



Gady



-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 3:14 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors



Gady Notrica wrote:

> Thank you guys for your help.

>

> Still can't enroll the client. Any suggestion on the errors below?

>

> /Kerberos authentication failed: kinit: Improper format of Kerberos

> configuration file while initializing Kerberos 5 library/



What does /etc/krb5.conf look like?



> Installation failed. Rolling back changes.

>

> /Failed to list certificates in /etc/ipa/nssdb: Command

> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

> exit status 255/



This is unrelated to the enrollment problem.



rob



>

> Disabling client Kerberos and LDAP configurations

>

> Gady Notrica

>

> -Original Message-

> From: 
> freeipa-users-boun...@redhat.com

> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica

> Sent: April 20, 2016 2:12 PM

> To: Rob Crittenden; Martin Basti; 
> freeipa-users@redhat.com

> Subject: Re: [Freeipa-users] ipa-client-install errors

>

> Any specific command in particular to remove that keytab?

>

> Since these don't work

>

> [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab

> Kerberos context initialization failed

>

> [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k

> /etc/krb5.keytab Kerberos context initialization failed

>

> [root@cprddb1 /]#

>

> Gady

>

> -Original Message-

>

> From: Rob Crittenden [mailto:rcrit...@redhat.com]

>

> Sent: April 20, 2016 1:59 PM

>

> To: Martin Basti; Gady Notrica; 
> freeipa-users@redhat.com

> 

>

> Subject: Re: [Freeipa-users] ipa-client-install errors

>

> Martin Basti wrote:

>

>  >

>

>  >

>

>  > On 20.04.2016 18:00, Gady Notrica wrote:

>

>  >>

>

>  >> Hello World,

>

>  >>

>

>  >> I am having these errors trying to install ipa-client-install.

> Every

>

>  >> other machine is fine and they IPA servers are functioning

> perfectly

>

>  >>

>

>  >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

>

>  >>

>

>  >> Kerberos authentication failed: kinit: Improper format of Kerberos

>

>  >> configuration file while initializing Kerberos 5 library

>

>  >>

>

>  >> Then I have "/Installation failed. Rolling back changes."/

>

>  >>

>

>  >> I have tried everything I know with no luck. Any idea on how to

> FIX

>

>  >> this? Below is the full log.

>

>  >>

>

>  >> ---

>

>  >>

>

>  >> /Continue to configure the system with these values? [no]: yes/

>

>  >>

>

>  >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

>

>  >>

>

>  >> /Skipping synchronizing time with NTP server./

>

>  >>

>

>  >> /User authorized to enroll computers: admin/

>

>  >>

>

>  >> /Password for ad...@ipa.domain.com:/

> 

>

>  >>

>

>  >> /Please make sure the following ports are opened in the firewall

>

>  >> settings:/

>

>  >>

>

>  >> /TCP: 80, 88, 389/

>

>  >>

>

>  >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

>

>  >>

>

>  >> /Also note that following ports are necessary for ipa-client

> working

>

>  >> properly after enrollment:/

>

>  >>

>

>  >> /TCP: 464/

>

>  >>

>

>  >> /UDP: 464, 123 (if NTP enabled)/

>

>  >>

>

>  >> /Kerberos authentication failed: kinit: Improper format of

> Kerberos

>

>  >> configuration 

Re: [Freeipa-users] ipa-client-install errors

[Rob Crittenden]

Gady Notrica wrote:

Thank you guys for your help.

Still can't enroll the client. Any suggestion on the errors below?

/Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library/


What does /etc/krb5.conf look like?


Installation failed. Rolling back changes.

/Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
status 255/


This is unrelated to the enrollment problem.

rob



Disabling client Kerberos and LDAP configurations

Gady Notrica

-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
Sent: April 20, 2016 2:12 PM
To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

Any specific command in particular to remove that keytab?

Since these don't work

[root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
Kerberos context initialization failed

[root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k
/etc/krb5.keytab Kerberos context initialization failed

[root@cprddb1 /]#

Gady

-Original Message-

From: Rob Crittenden [mailto:rcrit...@redhat.com]

Sent: April 20, 2016 1:59 PM

To: Martin Basti; Gady Notrica; freeipa-users@redhat.com


Subject: Re: [Freeipa-users] ipa-client-install errors

Martin Basti wrote:

 >

 >

 > On 20.04.2016 18:00, Gady Notrica wrote:

 >>

 >> Hello World,

 >>

 >> I am having these errors trying to install ipa-client-install. Every

 >> other machine is fine and they IPA servers are functioning perfectly

 >>

 >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

 >>

 >> Kerberos authentication failed: kinit: Improper format of Kerberos

 >> configuration file while initializing Kerberos 5 library

 >>

 >> Then I have "/Installation failed. Rolling back changes."/

 >>

 >> I have tried everything I know with no luck. Any idea on how to FIX

 >> this? Below is the full log.

 >>

 >> ---

 >>

 >> /Continue to configure the system with these values? [no]: yes/

 >>

 >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

 >>

 >> /Skipping synchronizing time with NTP server./

 >>

 >> /User authorized to enroll computers: admin/

 >>

 >> /Password for ad...@ipa.domain.com:/ 

 >>

 >> /Please make sure the following ports are opened in the firewall

 >> settings:/

 >>

 >> /TCP: 80, 88, 389/

 >>

 >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

 >>

 >> /Also note that following ports are necessary for ipa-client working

 >> properly after enrollment:/

 >>

 >> /TCP: 464/

 >>

 >> /UDP: 464, 123 (if NTP enabled)/

 >>

 >> /Kerberos authentication failed: kinit: Improper format of Kerberos

 >> configuration file while initializing Kerberos 5 library/

 >>

 >> //

 >>

 >> /Installation failed. Rolling back changes./

 >>

 >> /Failed to list certificates in /etc/ipa/nssdb: Command

 >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

 >> exit status 255/

 >>

 >> /Disabling client Kerberos and LDAP configurations/

 >>

 >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to

 >> /etc/sssd/sssd.conf.deleted/

 >>

 >> /Restoring client configuration files/

 >>

 >> /nscd daemon is not installed, skip configuration/

 >>

 >> /nslcd daemon is not installed, skip configuration/

 >>

 >> /Client uninstall complete./

 >>

 >> /---/

 >>

 >> Gady

 >>

 >>

 >>

 > Hello,

 >

 > IMO you have an old invalid keytab on that machine. Can you manually

 > remove it and try to reinstall client? (Of course only if you are sure

 > that keytab there is not needed)

 >

 > The keytab should be located here /etc/krb5.keytab

That or /etc/krb5.conf is messed up in some way.

rob

--

Manage your subscription for the Freeipa-users mailing list:

https://www.redhat.com/mailman/listinfo/freeipa-users

Go to http://freeipa.org for more info on the project



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

[Rob Crittenden]

Gady Notrica wrote:

Please find below the kr5.conf. Still has with original content.

[root@prddb1]# ipa-client-install

Discovery was successful!

...

Continue to configure the system with these values? [no]: yes



Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library

Installation failed. Rolling back changes.

Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
status 255

Disabling client Kerberos and LDAP configurations

Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted



Client uninstall complete.

[root@prddb1]# cat /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

dns_lookup_realm = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false

# default_realm = EXAMPLE.COM

default_ccache_name = KEYRING:persistent:%{uid}

[realms]

# EXAMPLE.COM = {

#  kdc = kerberos.example.com

#  admin_server = kerberos.example.com

# }

[domain_realm]

# .example.com = EXAMPLE.COM

# example.com = EXAMPLE.COM

[root@prddb1]#


Ok, I agree with the others then, we need to see the full 
ipaclient-install.log. This file looks fine which means the temporary 
one that is configured must be bad in some way. The log will tell how.


rob



Gady

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 3:14 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

Gady Notrica wrote:

 > Thank you guys for your help.

 >

 > Still can't enroll the client. Any suggestion on the errors below?

 >

 > /Kerberos authentication failed: kinit: Improper format of Kerberos

 > configuration file while initializing Kerberos 5 library/

What does /etc/krb5.conf look like?

 > Installation failed. Rolling back changes.

 >

 > /Failed to list certificates in /etc/ipa/nssdb: Command

 > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

 > exit status 255/

This is unrelated to the enrollment problem.

rob

 >

 > Disabling client Kerberos and LDAP configurations

 >

 > Gady Notrica

 >

 > -Original Message-

 > From: freeipa-users-boun...@redhat.com


 > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica

 > Sent: April 20, 2016 2:12 PM

 > To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com


 > Subject: Re: [Freeipa-users] ipa-client-install errors

 >

 > Any specific command in particular to remove that keytab?

 >

 > Since these don't work

 >

 > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab

 > Kerberos context initialization failed

 >

 > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k

 > /etc/krb5.keytab Kerberos context initialization failed

 >

 > [root@cprddb1 /]#

 >

 > Gady

 >

 > -Original Message-

 >

 > From: Rob Crittenden [mailto:rcrit...@redhat.com]

 >

 > Sent: April 20, 2016 1:59 PM

 >

 > To: Martin Basti; Gady Notrica; freeipa-users@redhat.com


 > 

 >

 > Subject: Re: [Freeipa-users] ipa-client-install errors

 >

 > Martin Basti wrote:

 >

 >  >

 >

 >  >

 >

 >  > On 20.04.2016 18:00, Gady Notrica wrote:

 >

 >  >>

 >

 >  >> Hello World,

 >

 >  >>

 >

 >  >> I am having these errors trying to install ipa-client-install.

 > Every

 >

 >  >> other machine is fine and they IPA servers are functioning

 > perfectly

 >

 >  >>

 >

 >  >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

 >

 >  >>

 >

 >  >> Kerberos authentication failed: kinit: Improper format of Kerberos

 >

 >  >> configuration file while initializing Kerberos 5 library

 >

 >  >>

 >

 >  >> Then I have "/Installation failed. Rolling back changes."/

 >

 >  >>

 >

 >  >> I have tried everything I know with no luck. Any idea on how to

 > FIX

 >

 >  >> this? Below is the full log.

 >

 >  >>

 >

 >  >> ---

 >

 >  >>

 >

 >  >> /Continue to configure the system with these values? [no]: yes/

 >

 >  >>

 >

 >  >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

 >

 >  >>

 >

 >  >> /Skipping synchronizing time with NTP server./

 >

 >  >>

 >

 >  >> /User authorized to enroll computers: admin/

 >

 >  >>

 >

 >  >> /Password for ad...@ipa.domain.com:/ 

 > 

 >

 >  >>

 >

 >  >> /Please make sure the following ports are opened in the firewall

 >

 >  >> settings:/

 >

 >  >>

 >

 >  >> /TCP: 80, 88, 389/

 >

 >  >>

 >

 >  >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

 >

 

Re: [Freeipa-users] ipa-client-install errors

[Gady Notrica]

Original file attached - no changes to the file

Gady


-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: April 20, 2016 3:52 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

Gady Notrica wrote:
> Please find below the kr5.conf. Still has with original content.
>
> [root@prddb1]# ipa-client-install
>
> Discovery was successful!
>
> ...
>
> Continue to configure the system with these values? [no]: yes
>
> 
>
> Kerberos authentication failed: kinit: Improper format of Kerberos 
> configuration file while initializing Kerberos 5 library
>
> Installation failed. Rolling back changes.
>
> Failed to list certificates in /etc/ipa/nssdb: Command 
> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero 
> exit status 255
>
> Disabling client Kerberos and LDAP configurations
>
> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
> /etc/sssd/sssd.conf.deleted
>
> 
>
> Client uninstall complete.
>
> [root@prddb1]# cat /etc/krb5.conf
>
> [logging]
>
> default = FILE:/var/log/krb5libs.log
>
> kdc = FILE:/var/log/krb5kdc.log
>
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>
> dns_lookup_realm = false
>
> ticket_lifetime = 24h
>
> renew_lifetime = 7d
>
> forwardable = true
>
> rdns = false
>
> # default_realm = EXAMPLE.COM
>
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
>
> # EXAMPLE.COM = {
>
> #  kdc = kerberos.example.com
>
> #  admin_server = kerberos.example.com
>
> # }
>
> [domain_realm]
>
> # .example.com = EXAMPLE.COM
>
> # example.com = EXAMPLE.COM
>
> [root@prddb1]#

Ok, I agree with the others then, we need to see the full 
ipaclient-install.log. This file looks fine which means the temporary one that 
is configured must be bad in some way. The log will tell how.

rob

>
> Gady
>
> -Original Message-
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: April 20, 2016 3:14 PM
> To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] ipa-client-install errors
>
> Gady Notrica wrote:
>
>  > Thank you guys for your help.
>
>  >
>
>  > Still can't enroll the client. Any suggestion on the errors below?
>
>  >
>
>  > /Kerberos authentication failed: kinit: Improper format of Kerberos
>
>  > configuration file while initializing Kerberos 5 library/
>
> What does /etc/krb5.conf look like?
>
>  > Installation failed. Rolling back changes.
>
>  >
>
>  > /Failed to list certificates in /etc/ipa/nssdb: Command
>
>  > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
>
>  > exit status 255/
>
> This is unrelated to the enrollment problem.
>
> rob
>
>  >
>
>  > Disabling client Kerberos and LDAP configurations
>
>  >
>
>  > Gady Notrica
>
>  >
>
>  > -Original Message-
>
>  > From: freeipa-users-boun...@redhat.com 
> 
>
>  > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
>
>  > Sent: April 20, 2016 2:12 PM
>
>  > To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com 
> 
>
>  > Subject: Re: [Freeipa-users] ipa-client-install errors
>
>  >
>
>  > Any specific command in particular to remove that keytab?
>
>  >
>
>  > Since these don't work
>
>  >
>
>  > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
>
>  > Kerberos context initialization failed
>
>  >
>
>  > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k
>
>  > /etc/krb5.keytab Kerberos context initialization failed
>
>  >
>
>  > [root@cprddb1 /]#
>
>  >
>
>  > Gady
>
>  >
>
>  > -Original Message-
>
>  >
>
>  > From: Rob Crittenden [mailto:rcrit...@redhat.com]
>
>  >
>
>  > Sent: April 20, 2016 1:59 PM
>
>  >
>
>  > To: Martin Basti; Gady Notrica; freeipa-users@redhat.com 
> 
>
>  > 
>
>  >
>
>  > Subject: Re: [Freeipa-users] ipa-client-install errors
>
>  >
>
>  > Martin Basti wrote:
>
>  >
>
>  >  >
>
>  >
>
>  >  >
>
>  >
>
>  >  > On 20.04.2016 18:00, Gady Notrica wrote:
>
>  >
>
>  >  >>
>
>  >
>
>  >  >> Hello World,
>
>  >
>
>  >  >>
>
>  >
>
>  >  >> I am having these errors trying to install ipa-client-install.
>
>  > Every
>
>  >
>
>  >  >> other machine is fine and they IPA servers are functioning
>
>  > perfectly
>
>  >
>
>  >  >>
>
>  >
>
>  >  >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
>
>  >
>
>  >  >>
>
>  >
>
>  >  >> Kerberos authentication failed: kinit: Improper format of 
> Kerberos
>
>  >
>
>  >  >> configuration file while initializing Kerberos 5 library
>
>  >
>
>  >  >>
>
>  >
>
>  >  >> Then I have "/Installation failed. Rolling back changes."/
>
>  >
>
>  >  >>
>
>  >
>
>  >  >> I have tried everything I know with no luck. Any idea on how to
>
>  > FIX
>
>  >
>
>  >  >> this? Below is the full log.
>
>  >
>
>  >  >>
>
>  >
>
>  >  >> 

[Freeipa-users] Warning about session memcached servers from ipa-replica-manage

[Roderick Johnstone]

Hi

I'm getting the following warning on RHEL7 ipa servers 
(ipa-server-4.2.0-15.el7_2.6.1.x86_64).


$ ipa-replica-manage list
ipa: WARNING: session memcached servers not running
aaa.xxx.yyy: master
bbb.xxx.yyy: master

Can someone advise please on what the session memcached servers are for 
and how to get them running, assuming they are worth having.


Thanks.

Roderick Johnstone

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Warning about session memcached servers from ipa-replica-manage

[Rob Crittenden]

Roderick Johnstone wrote:

Hi

I'm getting the following warning on RHEL7 ipa servers
(ipa-server-4.2.0-15.el7_2.6.1.x86_64).

$ ipa-replica-manage list
ipa: WARNING: session memcached servers not running
aaa.xxx.yyy: master
bbb.xxx.yyy: master

Can someone advise please on what the session memcached servers are for
and how to get them running, assuming they are worth having.


I think this can be ignored. In order to see if there are servers 
running the code needs to read /var/run/ipa_memcached and lack read 
permissions. The warning is not particularly helpful.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA and PWM

[Tiemen Ruiten]

Hello,

I'm trying to set up a self-service page for a new IPA domain and I'm
trying to use PWM for that.

When I try to bind to FreeIPA from within PWM, with the configured "LDAP
Proxy User", I get the following error:

error connecting to ldap server 'ldaps://polonium.ipa.rdmedia.com:636':
unable to create connection: unable to bind to ldaps://
polonium.ipa.rdmedia.com:636 as
cn=svcpwmproxy,cn=groups,cn=accounts,dc=ipa,dc=rdmedia,dc=com reason:
[LDAP: error code 48 - Inappropriate Authentication]

In /var/log/krb5kdc.log I see:

Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.50.33: NEEDED_PREAUTH: host/
protactinium.ipa.rdmedia@ipa.rdmedia.com for krbtgt/
ipa.rdmedia@ipa.rdmedia.com, Additional pre-authentication required
Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing down
fd 12
Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149,
etypes {rep=18 tkt=18 ses=18}, host/
protactinium.ipa.rdmedia@ipa.rdmedia.com for krbtgt/
ipa.rdmedia@ipa.rdmedia.com
Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing down
fd 12
Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149,
etypes {rep=18 tkt=18 ses=18}, host/
protactinium.ipa.rdmedia@ipa.rdmedia.com for ldap/
polonium.ipa.rdmedia@ipa.rdmedia.com
Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing down
fd 12

What is going on? What can I do to debug this more?


-- 
Tiemen Ruiten
Systems Engineer
R Media
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa ERROR on user-add after RHEL 7 yum update

[Alexander Bokovoy]

On Wed, 20 Apr 2016, Daryl Fonseca-Holt wrote:

After doing a yum update on April 14 we are experiencing this error on an ipa
user-add:
ipa: ERROR: missing attribute "nisMapName" required by object class
"nisMap"
The /var/log/ipaupgrade.log is too large to attach but I didn't see any obvious
errors in it.

After the update the versions are:
ipa-server-4.2.0-15.el7_2.6.1.x86_64
389-ds-base-1.3.4.0-29
The dirsrv instance log has this error:
[19/Apr/2016:09:48:44 -0500] - Entry
"uid=testuser,cn=users,cn=accounts,dc=uofmt1" missing attribute
"nisMapName" required by object class "nisMap"

Default user object classes do not include nisMap object class. Did you
add that yourself?


Looking at the schema for the instance the attribute seems to be there:
cd /etc/dirsrv/slapd-UOFMT1/schema
grep nisMapName *
10rfc2307.ldif:attributeTypes: ( 1.3.6.1.1.1.1.26 NAME 'nisMapName'
DESC 'Standard LDAP attribute type' SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 2307' )
10rfc2307.ldif:objectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject'
DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( cn $
nisMapEntry $ nisMapName ) MAY ( description ) X-ORIGIN 'RFC 2307' )
10rfc2307.ldif:objectClasses: ( 1.3.6.1.1.1.2.13 NAME 'nisMap' DESC
'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( nisMapName )
MAY ( description ) X-ORIGIN 'RFC 2307' )
99user.ldif: lass' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $
nisMapName ) MAY descripti
99user.ldif: s' SUP top STRUCTURAL MUST nisMapName MAY description X-
ORIGIN ( 'RFC 2307' '
99user.ldif:attributeTypes: ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' DESC
'Standard LDAP attri
I've attached the dirsrv instance 10rfc2307.ldif and 99user.ldif. It doesn't
make sense that 99user.ldif has an nisMap objectclass in it. Or is this
something the upgrade it trying to override?

99user.ldif accumulates all schema changes that come through replication
or via updates. 


Can you show full entry for uid=testuser (filter userPassword field) and also 
output of

$ ipa config-show --all|grep objectclass
 Default group objectclasses: top, ipaobject, groupofnames, ipausergroup, 
nestedgroup
 Default user objectclasses: ipaobject, person, top, ipasshuser, inetorgperson, 
organizationalperson, krbticketpolicyaux, krbprincipalaux, inetuser, 
posixaccount
 objectclass: ipaConfigObject, nsContainer, top, ipaGuiConfig, 
ipaUserAuthTypeClass



Since this IPA server was first installed these updates have been applied:
grep 'IPA version' /var/log/ipaupgrade.log
2016-02-02T15:47:48Z DEBUG IPA version 4.2.0-15.el7_2.3
2016-03-25T19:21:18Z DEBUG IPA version 4.2.0-15.el7_2.6
2016-03-25T19:33:21Z DEBUG IPA version 4.2.0-15.el7_2.6
2016-03-25T19:42:23Z DEBUG IPA version 4.2.0-15.el7_2.6
2016-04-14T15:47:31Z DEBUG IPA version 4.2.0-15.el7_2.6.1
2016-04-14T15:56:50Z DEBUG IPA version 4.2.0-15.el7_2.6.1
2016-04-14T16:12:58Z DEBUG IPA version 4.2.0-15.el7_2.6.1
2016-04-14T16:22:07Z DEBUG IPA version 4.2.0-15.el7_2.6.1

Difference between -15.el7_2.6 and -15.el7_2.6.1 is a rebuild against
updated Samba version.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install errors

[Gady Notrica]

Hello World,

I am having these errors trying to install ipa-client-install. Every other 
machine is fine and they IPA servers are functioning perfectly

Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library

Then I have "Installation failed. Rolling back changes."

I have tried everything I know with no luck. Any idea on how to FIX this? Below 
is the full log.
---
Continue to configure the system with these values? [no]: yes
Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for ad...@ipa.domain.com:
Please make sure the following ports are opened in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly 
after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library

Installation failed. Rolling back changes.
Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' 
'-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
/etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
---
Gady
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and PWM

[Alexander Bokovoy]

On Wed, 20 Apr 2016, Tiemen Ruiten wrote:

Hello,

I'm trying to set up a self-service page for a new IPA domain and I'm
trying to use PWM for that.

When I try to bind to FreeIPA from within PWM, with the configured "LDAP
Proxy User", I get the following error:

error connecting to ldap server 'ldaps://polonium.ipa.rdmedia.com:636':
unable to create connection: unable to bind to ldaps://
polonium.ipa.rdmedia.com:636 as
cn=svcpwmproxy,cn=groups,cn=accounts,dc=ipa,dc=rdmedia,dc=com reason:
[LDAP: error code 48 - Inappropriate Authentication]

You are trying to bind as a group, not as a user. Group has no
passwords.

You need to have a user object or just a sysaccount to bind to LDAP.
See http://www.freeipa.org/page/HowTo/LDAP#System_Accounts for
sysaccounts.



In /var/log/krb5kdc.log I see:

Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.50.33: NEEDED_PREAUTH: host/
protactinium.ipa.rdmedia@ipa.rdmedia.com for krbtgt/
ipa.rdmedia@ipa.rdmedia.com, Additional pre-authentication required
Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing down
fd 12
Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149,
etypes {rep=18 tkt=18 ses=18}, host/
protactinium.ipa.rdmedia@ipa.rdmedia.com for krbtgt/
ipa.rdmedia@ipa.rdmedia.com
Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing down
fd 12
Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149,
etypes {rep=18 tkt=18 ses=18}, host/
protactinium.ipa.rdmedia@ipa.rdmedia.com for ldap/
polonium.ipa.rdmedia@ipa.rdmedia.com
Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing down
fd 12

Kerberos is completely unrelated here.



What is going on? What can I do to debug this more?


--
Tiemen Ruiten
Systems Engineer
R Media



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Warning about session memcached servers from ipa-replica-manage

[Roderick Johnstone]

On 20/04/16 14:03, Rob Crittenden wrote:

Roderick Johnstone wrote:

Hi

I'm getting the following warning on RHEL7 ipa servers
(ipa-server-4.2.0-15.el7_2.6.1.x86_64).

$ ipa-replica-manage list
ipa: WARNING: session memcached servers not running
aaa.xxx.yyy: master
bbb.xxx.yyy: master

Can someone advise please on what the session memcached servers are for
and how to get them running, assuming they are worth having.


I think this can be ignored. In order to see if there are servers
running the code needs to read /var/run/ipa_memcached and lack read
permissions. The warning is not particularly helpful.

rob


ok, thanks Rob. I'll ignore it.

Roderick

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

[Martin Basti]

On 20.04.2016 18:00, Gady Notrica wrote:


Hello World,

I am having these errors trying to install ipa-client-install. Every 
other machine is fine and they IPA servers are functioning perfectly


Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library


Then I have “/Installation failed. Rolling back changes.”/

I have tried everything I know with no luck. Any idea on how to FIX 
this? Below is the full log.


---

/Continue to configure the system with these values? [no]: yes/

/Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

/Skipping synchronizing time with NTP server./

/User authorized to enroll computers: admin/

/Password for ad...@ipa.domain.com:/

/Please make sure the following ports are opened in the firewall 
settings:/


/TCP: 80, 88, 389/

/UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

/Also note that following ports are necessary for ipa-client working 
properly after enrollment:/


/TCP: 464/

/UDP: 464, 123 (if NTP enabled)/

/Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library/


//

/Installation failed. Rolling back changes./

/Failed to list certificates in /etc/ipa/nssdb: Command 
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero 
exit status 255/


/Disabling client Kerberos and LDAP configurations/

/Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
/etc/sssd/sssd.conf.deleted/


/Restoring client configuration files/

/nscd daemon is not installed, skip configuration/

/nslcd daemon is not installed, skip configuration/

/Client uninstall complete./

/---/

Gady




Hello,

IMO you have an old invalid keytab on that machine. Can you manually 
remove it and try to reinstall client? (Of course only if you are sure 
that keytab there is not needed)


The keytab should be located here /etc/krb5.keytab

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

[Martin Babinsky]

On 04/20/2016 06:00 PM, Gady Notrica wrote:

Hello World,

I am having these errors trying to install ipa-client-install. Every
other machine is fine and they IPA servers are functioning perfectly

Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library

Then I have “/Installation failed. Rolling back changes.”/

I have tried everything I know with no luck. Any idea on how to FIX
this? Below is the full log.

---

/Continue to configure the system with these values? [no]: yes/

/Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

/Skipping synchronizing time with NTP server./

/User authorized to enroll computers: admin/

/Password for ad...@ipa.domain.com:/

/Please make sure the following ports are opened in the firewall settings:/

/ TCP: 80, 88, 389/

/ UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

/Also note that following ports are necessary for ipa-client working
properly after enrollment:/

/ TCP: 464/

/ UDP: 464, 123 (if NTP enabled)/

/Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library/

//

/Installation failed. Rolling back changes./

/Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
status 255/

/Disabling client Kerberos and LDAP configurations/

/Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted/

/Restoring client configuration files/

/nscd daemon is not installed, skip configuration/

/nslcd daemon is not installed, skip configuration/

/Client uninstall complete./

/---/

Gady



We would need to see the whole log, it should be located in 
'/var/log/ipaclient-install.log'


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

[Gady Notrica]

Please find attached the install log

Gady

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
Sent: April 20, 2016 1:04 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

On 04/20/2016 06:00 PM, Gady Notrica wrote:
> Hello World,
>
> I am having these errors trying to install ipa-client-install. Every 
> other machine is fine and they IPA servers are functioning perfectly
>
> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
>
> Kerberos authentication failed: kinit: Improper format of Kerberos 
> configuration file while initializing Kerberos 5 library
>
> Then I have "/Installation failed. Rolling back changes."/
>
> I have tried everything I know with no luck. Any idea on how to FIX 
> this? Below is the full log.
>
> ---
>
> /Continue to configure the system with these values? [no]: yes/
>
> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/
>
> /Skipping synchronizing time with NTP server./
>
> /User authorized to enroll computers: admin/
>
> /Password for ad...@ipa.domain.com:/
>
> /Please make sure the following ports are opened in the firewall 
> settings:/
>
> / TCP: 80, 88, 389/
>
> / UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/
>
> /Also note that following ports are necessary for ipa-client working 
> properly after enrollment:/
>
> / TCP: 464/
>
> / UDP: 464, 123 (if NTP enabled)/
>
> /Kerberos authentication failed: kinit: Improper format of Kerberos 
> configuration file while initializing Kerberos 5 library/
>
> //
>
> /Installation failed. Rolling back changes./
>
> /Failed to list certificates in /etc/ipa/nssdb: Command 
> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero 
> exit status 255/
>
> /Disabling client Kerberos and LDAP configurations/
>
> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
> /etc/sssd/sssd.conf.deleted/
>
> /Restoring client configuration files/
>
> /nscd daemon is not installed, skip configuration/
>
> /nslcd daemon is not installed, skip configuration/
>
> /Client uninstall complete./
>
> /---/
>
> Gady
>
>
>
We would need to see the whole log, it should be located in 
'/var/log/ipaclient-install.log'

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
# cat /var/log/ipaclient-install.log
2016-04-20T16:04:34Z DEBUG /usr/sbin/ipa-client-install was invoked with 
options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 
'ip_addresses': [], 'configure_firefox': False, 'primary': False, 'realm_name': 
None, 'force_ntpd': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': 
False, 'on_master': False, 'no_nisdomain': False, 'nisdomain': None, 
'ca_cert_file': None, 'principal': None, 'keytab': None, 'hostname': 
'cd-s-prd-db1.ipa.domain.com', 'request_cert': False, 'trust_sshfp': False, 
'no_ac': False, 'unattended': None, 'all_ip_addresses': False, 'location': 
None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates': 
True, 'conf_sudo': True, 'conf_ssh': True, 'force_join': False, 'firefox_dir': 
None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': 
False, 'preserve_sssd': True, 'mkhomedir': True, 'uninstall': False}
2016-04-20T16:04:34Z DEBUG missing options might be asked for interactively 
later
2016-04-20T16:04:34Z DEBUG IPA version 4.2.0-15.0.1.el7.centos.6.1
2016-04-20T16:04:34Z DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2016-04-20T16:04:34Z DEBUG Loading StateFile from 
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2016-04-20T16:04:34Z DEBUG [IPA Discovery]
2016-04-20T16:04:34Z DEBUG Starting IPA discovery with domain=None, 
servers=None, hostname=cd-s-prd-db1.ipa.domain.com
2016-04-20T16:04:34Z DEBUG Start searching for LDAP SRV record in 
"ipa.domain.com" (domain of the hostname) and its sub-domains
2016-04-20T16:04:34Z DEBUG Search DNS for SRV record of 
_ldap._tcp.ipa.domain.com
2016-04-20T16:04:34Z DEBUG DNS record found: 0 100 389 idmipa1.ipa.domain.com.
2016-04-20T16:04:34Z DEBUG DNS record found: 0 100 389 idmipa2.ipa.domain.com.
2016-04-20T16:04:34Z DEBUG [Kerberos realm search]
2016-04-20T16:04:34Z DEBUG Search DNS for TXT record of _kerberos.ipa.domain.com
2016-04-20T16:04:34Z DEBUG DNS record found: "IPA.domain.com"
2016-04-20T16:04:34Z DEBUG Search DNS for SRV record of 
_kerberos._udp.ipa.domain.com
2016-04-20T16:04:34Z DEBUG DNS record found: 0 100 88 idmipa2.ipa.domain.com.
2016-04-20T16:04:34Z DEBUG DNS record found: 0 100 88 idmipa1.ipa.domain.com.
2016-04-20T16:04:34Z DEBUG [LDAP server check]
2016-04-20T16:04:34Z DEBUG Verifying that idmipa1.ipa.domain.com 

Re: [Freeipa-users] ipa-client-install errors

[Martin Babinsky]

On 04/20/2016 07:12 PM, Gady Notrica wrote:

Please find attached the install log

Gady

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
Sent: April 20, 2016 1:04 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

On 04/20/2016 06:00 PM, Gady Notrica wrote:

Hello World,

I am having these errors trying to install ipa-client-install. Every
other machine is fine and they IPA servers are functioning perfectly

Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library

Then I have "/Installation failed. Rolling back changes."/

I have tried everything I know with no luck. Any idea on how to FIX
this? Below is the full log.

---

/Continue to configure the system with these values? [no]: yes/

/Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

/Skipping synchronizing time with NTP server./

/User authorized to enroll computers: admin/

/Password for ad...@ipa.domain.com:/

/Please make sure the following ports are opened in the firewall
settings:/

/ TCP: 80, 88, 389/

/ UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

/Also note that following ports are necessary for ipa-client working
properly after enrollment:/

/ TCP: 464/

/ UDP: 464, 123 (if NTP enabled)/

/Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library/

//

/Installation failed. Rolling back changes./

/Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
exit status 255/

/Disabling client Kerberos and LDAP configurations/

/Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted/

/Restoring client configuration files/

/nscd daemon is not installed, skip configuration/

/nslcd daemon is not installed, skip configuration/

/Client uninstall complete./

/---/

Gady




We would need to see the whole log, it should be located in 
'/var/log/ipaclient-install.log'

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

It looks like the log is truncated. Are you sure that this is the full 
version?


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

[Gady Notrica]

Thank you Martin, I have tried many different ways. I can't seem to be able to 
remove anything in the file.

Gady

From: Martin Basti [mailto:mba...@redhat.com]
Sent: April 20, 2016 12:50 PM
To: Gady Notrica; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors


On 20.04.2016 18:00, Gady Notrica wrote:
Hello World,

I am having these errors trying to install ipa-client-install. Every other 
machine is fine and they IPA servers are functioning perfectly

Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library

Then I have "Installation failed. Rolling back changes."

I have tried everything I know with no luck. Any idea on how to FIX this? Below 
is the full log.
---
Continue to configure the system with these values? [no]: yes
Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for ad...@ipa.domain.com:
Please make sure the following ports are opened in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly 
after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library

Installation failed. Rolling back changes.
Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' 
'-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
/etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
---
Gady


Hello,

IMO you have an old invalid keytab on that machine. Can you manually remove it 
and try to reinstall client? (Of course only if you are sure that keytab there 
is not needed)

The keytab should be located here /etc/krb5.keytab

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa ERROR on user-add after RHEL 7 yum update SOLVED

[Alexander Bokovoy]

Hi Daryl,

please always reply to the list.

On Wed, 20 Apr 2016, Daryl Fonseca-Holt wrote:



On 04/20/16 11:10, Alexander Bokovoy wrote:

On Wed, 20 Apr 2016, Daryl Fonseca-Holt wrote:
After doing a yum update on April 14 we are experiencing this 
error on an ipa

user-add:
   ipa: ERROR: missing attribute "nisMapName" required by object class
   "nisMap"
The /var/log/ipaupgrade.log is too large to attach but I didn't 
see any obvious

errors in it.

After the update the versions are:
   ipa-server-4.2.0-15.el7_2.6.1.x86_64
   389-ds-base-1.3.4.0-29
The dirsrv instance log has this error:
   [19/Apr/2016:09:48:44 -0500] - Entry
   "uid=testuser,cn=users,cn=accounts,dc=uofmt1" missing attribute
   "nisMapName" required by object class "nisMap"

Default user object classes do not include nisMap object class. Did you
add that yourself?

Yes, in a misguided attempt to get an NIS map to work. I'll remove it.

That fixed the problem. ipa user-add is working again!



 Default group objectclasses: top, ipaobject, groupofnames, 
ipausergroup, nestedgroup
 Default user objectclasses: ipaobject, person, top, ipasshuser, 
inetorgperson, umanitobaPerson, organizationalperson, 
krbticketpolicyaux, krbprincipalaux, nisMap, inetuser, posixaccount

As I suspected, nisMap is in the default user object classes. Never add
it there :)

Thanks for your expertise! After I removed the nisMap from the user 
object classes the user-add started working again.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

[Gady Notrica]

Any specific command in particular to remove that keytab? 

Since these don't work

[root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
Kerberos context initialization failed
[root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k /etc/krb5.keytab
Kerberos context initialization failed
[root@cprddb1 /]#

Gady


-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: April 20, 2016 1:59 PM
To: Martin Basti; Gady Notrica; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

Martin Basti wrote:
>
>
> On 20.04.2016 18:00, Gady Notrica wrote:
>>
>> Hello World,
>>
>> I am having these errors trying to install ipa-client-install. Every 
>> other machine is fine and they IPA servers are functioning perfectly
>>
>> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
>>
>> Kerberos authentication failed: kinit: Improper format of Kerberos 
>> configuration file while initializing Kerberos 5 library
>>
>> Then I have "/Installation failed. Rolling back changes."/
>>
>> I have tried everything I know with no luck. Any idea on how to FIX 
>> this? Below is the full log.
>>
>> ---
>>
>> /Continue to configure the system with these values? [no]: yes/
>>
>> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/
>>
>> /Skipping synchronizing time with NTP server./
>>
>> /User authorized to enroll computers: admin/
>>
>> /Password for ad...@ipa.domain.com:/
>>
>> /Please make sure the following ports are opened in the firewall 
>> settings:/
>>
>> /TCP: 80, 88, 389/
>>
>> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/
>>
>> /Also note that following ports are necessary for ipa-client working 
>> properly after enrollment:/
>>
>> /TCP: 464/
>>
>> /UDP: 464, 123 (if NTP enabled)/
>>
>> /Kerberos authentication failed: kinit: Improper format of Kerberos 
>> configuration file while initializing Kerberos 5 library/
>>
>> //
>>
>> /Installation failed. Rolling back changes./
>>
>> /Failed to list certificates in /etc/ipa/nssdb: Command 
>> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero 
>> exit status 255/
>>
>> /Disabling client Kerberos and LDAP configurations/
>>
>> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
>> /etc/sssd/sssd.conf.deleted/
>>
>> /Restoring client configuration files/
>>
>> /nscd daemon is not installed, skip configuration/
>>
>> /nslcd daemon is not installed, skip configuration/
>>
>> /Client uninstall complete./
>>
>> /---/
>>
>> Gady
>>
>>
>>
> Hello,
>
> IMO you have an old invalid keytab on that machine. Can you manually 
> remove it and try to reinstall client? (Of course only if you are sure 
> that keytab there is not needed)
>
> The keytab should be located here /etc/krb5.keytab

That or /etc/krb5.conf is messed up in some way.

rob


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and PWM

[Tiemen Ruiten]

Thanks Alexander, that got my past that error.

I created the sysaccount and I can bind successfully, but in accordance
with the documentation, it doesn't have rights to modify other users:

Unexpected error while testing ldap test user LDAP ⇨ LDAP Directories ⇨
default ⇨ LDAP Test User, error: javax.naming.NoPermissionException: [LDAP:
error code 50 - Insufficient 'write' privilege to the 'userPassword'
attribute of entry
'uid=test.user,cn=users,cn=accounts,dc=ipa,dc=rdmedia,dc=com'. ]

This LDAP Proxy User will try to do the following things to the LDAP Test
User:

"The following functionality (if enabled) will be tested using the test
user account.

Authentication
Password policy reading
Set password
Set challenge/responses
Load challenge/responses"

What is best practice here, should I grant more privileges to the
sysaccount (how?), or should I create a 'regular' user in the UI/through
the ipa cli and grant the necessary roles there?


On 20 April 2016 at 17:39, Alexander Bokovoy  wrote:

> On Wed, 20 Apr 2016, Tiemen Ruiten wrote:
>
>> Hello,
>>
>> I'm trying to set up a self-service page for a new IPA domain and I'm
>> trying to use PWM for that.
>>
>> When I try to bind to FreeIPA from within PWM, with the configured "LDAP
>> Proxy User", I get the following error:
>>
>> error connecting to ldap server 'ldaps://polonium.ipa.rdmedia.com:636':
>> unable to create connection: unable to bind to ldaps://
>> polonium.ipa.rdmedia.com:636 as
>> cn=svcpwmproxy,cn=groups,cn=accounts,dc=ipa,dc=rdmedia,dc=com reason:
>> [LDAP: error code 48 - Inappropriate Authentication]
>>
> You are trying to bind as a group, not as a user. Group has no
> passwords.
>
> You need to have a user object or just a sysaccount to bind to LDAP.
> See http://www.freeipa.org/page/HowTo/LDAP#System_Accounts for
> sysaccounts.
>
>
>> In /var/log/krb5kdc.log I see:
>>
>> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 192.168.50.33: NEEDED_PREAUTH: host/
>> protactinium.ipa.rdmedia@ipa.rdmedia.com for krbtgt/
>> ipa.rdmedia@ipa.rdmedia.com, Additional pre-authentication required
>> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing
>> down
>> fd 12
>> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149,
>> etypes {rep=18 tkt=18 ses=18}, host/
>> protactinium.ipa.rdmedia@ipa.rdmedia.com for krbtgt/
>> ipa.rdmedia@ipa.rdmedia.com
>> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing
>> down
>> fd 12
>> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): TGS_REQ (6
>> etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149,
>> etypes {rep=18 tkt=18 ses=18}, host/
>> protactinium.ipa.rdmedia@ipa.rdmedia.com for ldap/
>> polonium.ipa.rdmedia@ipa.rdmedia.com
>> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing
>> down
>> fd 12
>>
> Kerberos is completely unrelated here.
>
>
>
>> What is going on? What can I do to debug this more?
>>
>>
>> --
>> Tiemen Ruiten
>> Systems Engineer
>> R Media
>>
>
> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> / Alexander Bokovoy
>



-- 
Tiemen Ruiten
Systems Engineer
R Media
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

[Rob Crittenden]

Martin Basti wrote:



On 20.04.2016 18:00, Gady Notrica wrote:


Hello World,

I am having these errors trying to install ipa-client-install. Every
other machine is fine and they IPA servers are functioning perfectly

Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library

Then I have “/Installation failed. Rolling back changes.”/

I have tried everything I know with no luck. Any idea on how to FIX
this? Below is the full log.

---

/Continue to configure the system with these values? [no]: yes/

/Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

/Skipping synchronizing time with NTP server./

/User authorized to enroll computers: admin/

/Password for ad...@ipa.domain.com:/

/Please make sure the following ports are opened in the firewall
settings:/

/TCP: 80, 88, 389/

/UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

/Also note that following ports are necessary for ipa-client working
properly after enrollment:/

/TCP: 464/

/UDP: 464, 123 (if NTP enabled)/

/Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library/

//

/Installation failed. Rolling back changes./

/Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
exit status 255/

/Disabling client Kerberos and LDAP configurations/

/Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted/

/Restoring client configuration files/

/nscd daemon is not installed, skip configuration/

/nslcd daemon is not installed, skip configuration/

/Client uninstall complete./

/---/

Gady




Hello,

IMO you have an old invalid keytab on that machine. Can you manually
remove it and try to reinstall client? (Of course only if you are sure
that keytab there is not needed)

The keytab should be located here /etc/krb5.keytab


That or /etc/krb5.conf is messed up in some way.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Servers intermittently losing connection to IPA

[Jeff Hallyburton]

Sumit,

Raised the debug level to 10 and let it run for about 24 hours.  Uploading
the last 2000~ lines of the sssd_domain.com.log.  Thanks for your help!

https://pastebin.com/MD6N1Dj7

Jeff Hallyburton
Strategic Systems Engineer
Bloomip Inc.
Web: http://www.bloomip.com

Engineering Support: supp...@bloomip.com
Billing Support: bill...@bloomip.com
Customer Support Portal:  https://my.bloomip.com 

On Tue, Apr 19, 2016 at 1:14 PM, Jeff Hallyburton <
jeff.hallybur...@bloomip.com> wrote:

> Sumit,
>
> Raised the debug level to 10 and let it run for about 24 hours.  Uploading
> the full sssd_domain.com.log.  Thanks for your help!
>
> Jeff
>
> Jeff Hallyburton
> Strategic Systems Engineer
> Bloomip Inc.
> Web: http://www.bloomip.com
>
> Engineering Support: supp...@bloomip.com
> Billing Support: bill...@bloomip.com
> Customer Support Portal:  https://my.bloomip.com 
>
> On Mon, Apr 18, 2016 at 10:58 AM, Sumit Bose  wrote:
>
>> On Fri, Apr 15, 2016 at 04:47:42PM -0400, Jeff Hallyburton wrote:
>> > After setting debug_level=8, this is what I see in the sssd_domain_log:
>>
>> Unfortunately the domain log and the krb5_child log do not relate to
>> each other.
>>
>> >
>> > (Fri Apr 15 20:10:46 2016) [sssd[be[example.com]]]
>> [child_handler_setup]
>> > (0x2000): Setting up signal handler up for pid [32382]
>> >
>>
>> 
>>
>> >
>> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731 [k5c_setup_fast]
>> > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
>> > jump02.west-2.production.example@example.com]
>> >
>>
>> ...
>>
>> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731
>> [get_and_save_tgt]
>> > (0x0400): krb5_get_init_creds_password returned [-1765328324} during
>> > pre-auth.
>> >
>> >
>> > Can you shed any light on this?
>> >
>>
>> In the domain log the child with the pid 32382 is started to run a
>> pre-authentication request. The request is needed to find out which kind
>> of authentication types are available for the user, e.g. password or
>> 2-factor authentication with the OTP token. The request in the child
>> with the PID 32731 looks like a real authentication request with returns
>> with an error code -1765328324 which just means 'Generic error' but
>> might have cause SSSD to go offline.
>>
>> I would like to ask you to run the test again with debug_level=10 in the
>> [domain/...] section of sssd.conf which would enable some low level
>> Kerberos tracing messages which might help to understand what kind of
>> 'Generic error' was hit here. Additionally I would like ask you to send
>> the full log files as attachment or in an archive which would hep be to
>> better navigate through them.
>>
>> bye,
>> Sumit
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

[Natxo Asenjo]

hi Gady,

On Wed, Apr 20, 2016 at 8:11 PM, Gady Notrica  wrote:

> Any specific command in particular to remove that keytab?
>
> Since these don't work
>
> [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
> Kerberos context initialization failed
> [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k
> /etc/krb5.keytab
> Kerberos context initialization failed


I think that you just need to rm /etc/krb5.keytab and remove the host
object in the web interface if it exists.

-- 
groet,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] (no subject)

[Anthony Cheng]

Hi list,

This is an re-occurring subject; the dreaded expired certificate.

I am following the renew here
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal and testing on a
clone VM and I am able to get to the step where the serial number is being
replaced:

ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password

However, the database was hosted on another machine so dirsrv/slapd is not
running

So is there anyway for to renew the certificate in this situation other
than setting up and mounting that database as well?

Anthony


-- 

Thanks, Anthony
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

[Gady Notrica]

Thank you guys for your help.



Still can't enroll the client. Any suggestion on the errors below?



Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library



Installation failed. Rolling back changes.

Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' 
'-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255

Disabling client Kerberos and LDAP configurations



Gady Notrica



-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
Sent: April 20, 2016 2:12 PM
To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors



Any specific command in particular to remove that keytab?



Since these don't work



[root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab Kerberos 
context initialization failed

[root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k /etc/krb5.keytab 
Kerberos context initialization failed

[root@cprddb1 /]#



Gady





-Original Message-

From: Rob Crittenden [mailto:rcrit...@redhat.com]

Sent: April 20, 2016 1:59 PM

To: Martin Basti; Gady Notrica; 
freeipa-users@redhat.com

Subject: Re: [Freeipa-users] ipa-client-install errors



Martin Basti wrote:

>

>

> On 20.04.2016 18:00, Gady Notrica wrote:

>>

>> Hello World,

>>

>> I am having these errors trying to install ipa-client-install. Every

>> other machine is fine and they IPA servers are functioning perfectly

>>

>> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

>>

>> Kerberos authentication failed: kinit: Improper format of Kerberos

>> configuration file while initializing Kerberos 5 library

>>

>> Then I have "/Installation failed. Rolling back changes."/

>>

>> I have tried everything I know with no luck. Any idea on how to FIX

>> this? Below is the full log.

>>

>> ---

>>

>> /Continue to configure the system with these values? [no]: yes/

>>

>> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

>>

>> /Skipping synchronizing time with NTP server./

>>

>> /User authorized to enroll computers: admin/

>>

>> /Password for ad...@ipa.domain.com:/

>>

>> /Please make sure the following ports are opened in the firewall

>> settings:/

>>

>> /TCP: 80, 88, 389/

>>

>> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

>>

>> /Also note that following ports are necessary for ipa-client working

>> properly after enrollment:/

>>

>> /TCP: 464/

>>

>> /UDP: 464, 123 (if NTP enabled)/

>>

>> /Kerberos authentication failed: kinit: Improper format of Kerberos

>> configuration file while initializing Kerberos 5 library/

>>

>> //

>>

>> /Installation failed. Rolling back changes./

>>

>> /Failed to list certificates in /etc/ipa/nssdb: Command

>> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

>> exit status 255/

>>

>> /Disabling client Kerberos and LDAP configurations/

>>

>> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to

>> /etc/sssd/sssd.conf.deleted/

>>

>> /Restoring client configuration files/

>>

>> /nscd daemon is not installed, skip configuration/

>>

>> /nslcd daemon is not installed, skip configuration/

>>

>> /Client uninstall complete./

>>

>> /---/

>>

>> Gady

>>

>>

>>

> Hello,

>

> IMO you have an old invalid keytab on that machine. Can you manually

> remove it and try to reinstall client? (Of course only if you are sure

> that keytab there is not needed)

>

> The keytab should be located here /etc/krb5.keytab



That or /etc/krb5.conf is messed up in some way.



rob





--

Manage your subscription for the Freeipa-users mailing list:

https://www.redhat.com/mailman/listinfo/freeipa-users

Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project