Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library
Alan Latteri wrote: > Well on new installs of Cent 7.2, when I do `yum install ipa-client`, that is > the version provided. > Unfortunately, most of our systems have to be on Cent 7.2, not 7.3, and it is > out of our control. Either way it's a bug somewhere in ipa-client, it should require a minimum version of krb5-libs which provides this file (or explicitly check for existence of this directory). I opened a ticket on it, https://fedorahosted.org/freeipa/ticket/6589 rob > > Alan > >> On Jan 3, 2017, at 8:33 PM, Rob Crittendenwrote: >> >> Alan Latteri wrote: >>> Further investigation. >>> >>> On a clean install of CentOS 7.2 with IPA Client 4.4, /etc/krb5.conf.d/ is >>> missing, and therefore initial setup will fail unless manual creation of >>> /etc/krb5.conf.d/ >>> Maybe the install script for the client can be updated to check for and >>> create? >> >> Is there a reason you're running 7.3 packages on a 7.2 system? I suspect >> that is the problem. AFAIU in 7.3 this directory is provided by krb5-libs. >> >> Is there some feature you need in the 4.4 client installer on 7.2? >> >> rob >> >>> >>> Thanks, >>> Alan >>> On Jan 3, 2017, at 1:44 PM, Alan Latteri wrote: Thanks Rob. /etc/krb5.conf.d/ was in fact missing from the client, which is still on CentOS 7.2 for reasons out of our control. Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have the /etc/krb5.conf.d/ directory, but are running fine. So maybe the 4.4 client requires that dir but is not making it on upgrade and the cause of the failure? Alan > On Jan 3, 2017, at 1:25 PM, Rob Crittenden wrote: > > Alan Latteri wrote: >> Log is attached. > > Look and see if /etc/krb5.conf.d/ and > /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check > for SELinux AVCs). I'm pretty sure this all runs as root so I doubt > filesystem perms are an issue but who knows. > > You can also brute force things using strace -f to find out exactly what > can't be read. > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project >>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library
On (03/01/17 20:35), Alan Latteri wrote: >Well on new installs of Cent 7.2, when I do `yum install ipa-client`, that is >the version provided. >Unfortunately, most of our systems have to be on Cent 7.2, not 7.3, and it is >out of our control. > You will install el7.3 on CentOS 7.2 by default. If you want to stay on 7.2 you need to change repositories sh# yum install --setopt=debuglevel=1 --assumeno sssd-client Ignored option -q, -v, -d or -e (probably due to merging: -yq != -y -q) Package ArchVersion RepositorySize Installing: sssd-client x86_64 1.14.0-43.el7_3.4 updates 171 k Installing for dependencies: libsss_idmap x86_64 1.14.0-43.el7_3.4 updates 118 k libsss_nss_idmap x86_64 1.14.0-43.el7_3.4 updates 116 k Transaction Summary Install 1 Package (+2 Dependent packages) sh# yum-config-manager --disable base extras updates sh# yum-config-manager --enable "C7.2.1511*" sh# yum repolist Loaded plugins: fastestmirror, ovl Loading mirror speeds from cached hostfile repo id repo name status C7.2.1511-base/x86_64 CentOS-7.2.1511 - Base9007 C7.2.1511-centosplus/x86_64 CentOS-7.2.1511 - CentOSPlus 134 C7.2.1511-extras/x86_64 CentOS-7.2.1511 - Extras 393 C7.2.1511-fasttrack/x86_64 CentOS-7.2.1511 - CentOSPlus 0 C7.2.1511-updates/x86_64CentOS-7.2.1511 - Updates 2560 sh# yum install --setopt=debuglevel=1 --assumeno sssd-client Package Arch Version RepositorySize Installing: sssd-client x86_641.13.0-40.el7_2.12C7.2.1511-updates158 k Installing for dependencies: libsss_idmapx86_641.13.0-40.el7_2.12C7.2.1511-updates104 k libsss_nss_idmapx86_641.13.0-40.el7_2.12C7.2.1511-updates103 k Transaction Summary Install 1 Package (+2 Dependent packages) LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library
Well on new installs of Cent 7.2, when I do `yum install ipa-client`, that is the version provided. Unfortunately, most of our systems have to be on Cent 7.2, not 7.3, and it is out of our control. Alan > On Jan 3, 2017, at 8:33 PM, Rob Crittendenwrote: > > Alan Latteri wrote: >> Further investigation. >> >> On a clean install of CentOS 7.2 with IPA Client 4.4, /etc/krb5.conf.d/ is >> missing, and therefore initial setup will fail unless manual creation of >> /etc/krb5.conf.d/ >> Maybe the install script for the client can be updated to check for and >> create? > > Is there a reason you're running 7.3 packages on a 7.2 system? I suspect > that is the problem. AFAIU in 7.3 this directory is provided by krb5-libs. > > Is there some feature you need in the 4.4 client installer on 7.2? > > rob > >> >> Thanks, >> Alan >> >>> On Jan 3, 2017, at 1:44 PM, Alan Latteri >>> wrote: >>> >>> Thanks Rob. >>> >>> /etc/krb5.conf.d/ was in fact missing from the client, which is still on >>> CentOS 7.2 for reasons out of our control. >>> Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have >>> the /etc/krb5.conf.d/ directory, but are running fine. So maybe the 4.4 >>> client requires that dir but is not making it on upgrade and the cause of >>> the failure? >>> >>> Alan >>> On Jan 3, 2017, at 1:25 PM, Rob Crittenden wrote: Alan Latteri wrote: > Log is attached. Look and see if /etc/krb5.conf.d/ and /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check for SELinux AVCs). I'm pretty sure this all runs as root so I doubt filesystem perms are an issue but who knows. You can also brute force things using strace -f to find out exactly what can't be read. rob >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library
Further investigation. On a clean install of CentOS 7.2 with IPA Client 4.4, /etc/krb5.conf.d/ is missing, and therefore initial setup will fail unless manual creation of /etc/krb5.conf.d/ Maybe the install script for the client can be updated to check for and create? Thanks, Alan > On Jan 3, 2017, at 1:44 PM, Alan Latteriwrote: > > Thanks Rob. > > /etc/krb5.conf.d/ was in fact missing from the client, which is still on > CentOS 7.2 for reasons out of our control. > Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have the > /etc/krb5.conf.d/ directory, but are running fine. So maybe the 4.4 client > requires that dir but is not making it on upgrade and the cause of the > failure? > > Alan > >> On Jan 3, 2017, at 1:25 PM, Rob Crittenden wrote: >> >> Alan Latteri wrote: >>> Log is attached. >> >> Look and see if /etc/krb5.conf.d/ and >> /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check >> for SELinux AVCs). I'm pretty sure this all runs as root so I doubt >> filesystem perms are an issue but who knows. >> >> You can also brute force things using strace -f to find out exactly what >> can't be read. >> >> rob >> > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library
Thanks Rob. /etc/krb5.conf.d/ was in fact missing from the client, which is still on CentOS 7.2 for reasons out of our control. Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have the /etc/krb5.conf.d/ directory, but are running fine. So maybe the 4.4 client requires that dir but is not making it on upgrade and the cause of the failure? Alan > On Jan 3, 2017, at 1:25 PM, Rob Crittendenwrote: > > Alan Latteri wrote: >> Log is attached. > > Look and see if /etc/krb5.conf.d/ and > /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check > for SELinux AVCs). I'm pretty sure this all runs as root so I doubt > filesystem perms are an issue but who knows. > > You can also brute force things using strace -f to find out exactly what > can't be read. > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library
Alan Latteri wrote: > Log is attached. Look and see if /etc/krb5.conf.d/ and /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check for SELinux AVCs). I'm pretty sure this all runs as root so I doubt filesystem perms are an issue but who knows. You can also brute force things using strace -f to find out exactly what can't be read. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library
On 01/02/2017 11:22 PM, Alan Latteri wrote: I upgraded our FreeIPA server from Cent7.2 to 7.3 which also upgraded freeipa to 4.4. On some clients they failed to re-authenticate post upgrade. I then did an ipa-client-install —uninstall , and then tried re-joining to IPA server with ipa-client-install --mkhomedir --force-ntpd --force-join. Now I am getting the below error, and I have no idea how to recover. Firewall is disabled. Thanks, Alan User authorized to enroll computers: admin Password for admin@XXX.LOCAL: Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library Installation failed. Rolling back changes. IPA client is not configured on this system. [root@troll ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Installed Packages ipa-client.x86_64 4.4.0-14.el7.centos @updates ipa-client-common.noarch 4.4.0-14.el7.centos @updates ipa-common.noarch 4.4.0-14.el7.centos @updates Hi Alan, it would be nice if you could post the client install log (/var/log/ipaclient-install.log). It is hard to tell what happens without seeing it. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project