Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

[Rob Crittenden]

Alan Latteri wrote:
> Well on new installs of Cent 7.2, when I do `yum install ipa-client`, that is 
> the version provided.
> Unfortunately, most of our systems have to be on Cent 7.2, not 7.3, and it is 
> out of our control.

Either way it's a bug somewhere in ipa-client, it should require a
minimum version of krb5-libs which provides this file (or explicitly
check for existence of this directory). I opened a ticket on it,
https://fedorahosted.org/freeipa/ticket/6589

rob

> 
> Alan
> 
>> On Jan 3, 2017, at 8:33 PM, Rob Crittenden  wrote:
>>
>> Alan Latteri wrote:
>>> Further investigation.
>>>
>>> On a clean install of CentOS 7.2 with IPA Client 4.4, /etc/krb5.conf.d/ is 
>>> missing, and therefore initial setup will fail unless manual creation of 
>>> /etc/krb5.conf.d/
>>> Maybe the install script for the client can be updated to check for and 
>>> create?
>>
>> Is there a reason you're running 7.3 packages on a 7.2 system? I suspect
>> that is the problem. AFAIU in 7.3 this directory is provided by krb5-libs.
>>
>> Is there some feature you need in the 4.4 client installer on 7.2?
>>
>> rob
>>
>>>
>>> Thanks,
>>> Alan
>>>
 On Jan 3, 2017, at 1:44 PM, Alan Latteri  
 wrote:

 Thanks Rob.

 /etc/krb5.conf.d/  was in fact missing from the client, which is still on 
 CentOS 7.2 for reasons out of our control.
 Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have 
 the /etc/krb5.conf.d/ directory, but are running fine.  So maybe the 4.4 
 client requires that dir but is not making it on upgrade and the cause of 
 the failure?

 Alan

> On Jan 3, 2017, at 1:25 PM, Rob Crittenden  wrote:
>
> Alan Latteri wrote:
>> Log is attached.
>
> Look and see if /etc/krb5.conf.d/ and
> /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check
> for SELinux AVCs). I'm pretty sure this all runs as root so I doubt
> filesystem perms are an issue but who knows.
>
> You can also brute force things using strace -f to find out exactly what
> can't be read.
>
> rob
>


 -- 
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project
>>>
>>
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

[Lukas Slebodnik]

On (03/01/17 20:35), Alan Latteri wrote:
>Well on new installs of Cent 7.2, when I do `yum install ipa-client`, that is 
>the version provided.
>Unfortunately, most of our systems have to be on Cent 7.2, not 7.3, and it is 
>out of our control.
>
You will install el7.3 on CentOS 7.2 by default.
If you want to stay on 7.2 you need to change repositories

sh# yum install --setopt=debuglevel=1 --assumeno sssd-client
Ignored option -q, -v, -d or -e (probably due to merging: -yq != -y -q)


 Package   ArchVersion   RepositorySize

Installing:
 sssd-client   x86_64  1.14.0-43.el7_3.4 updates  171 k
Installing for dependencies:
 libsss_idmap  x86_64  1.14.0-43.el7_3.4 updates  118 k
 libsss_nss_idmap  x86_64  1.14.0-43.el7_3.4 updates  116 k

Transaction Summary

Install  1 Package (+2 Dependent packages)

sh# yum-config-manager --disable base extras updates
sh# yum-config-manager --enable "C7.2.1511*"
sh# yum repolist
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
repo id repo name
status
C7.2.1511-base/x86_64   CentOS-7.2.1511 - Base9007
C7.2.1511-centosplus/x86_64 CentOS-7.2.1511 - CentOSPlus   134
C7.2.1511-extras/x86_64 CentOS-7.2.1511 - Extras   393
C7.2.1511-fasttrack/x86_64  CentOS-7.2.1511 - CentOSPlus 0
C7.2.1511-updates/x86_64CentOS-7.2.1511 - Updates 2560


sh# yum install --setopt=debuglevel=1 --assumeno sssd-client


 Package Arch  Version   RepositorySize

Installing:
 sssd-client x86_641.13.0-40.el7_2.12C7.2.1511-updates158 k
Installing for dependencies:
 libsss_idmapx86_641.13.0-40.el7_2.12C7.2.1511-updates104 k
 libsss_nss_idmapx86_641.13.0-40.el7_2.12C7.2.1511-updates103 k

Transaction Summary

Install  1 Package (+2 Dependent packages)


LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

[Alan Latteri]

Well on new installs of Cent 7.2, when I do `yum install ipa-client`, that is 
the version provided.
Unfortunately, most of our systems have to be on Cent 7.2, not 7.3, and it is 
out of our control.

Alan

> On Jan 3, 2017, at 8:33 PM, Rob Crittenden  wrote:
> 
> Alan Latteri wrote:
>> Further investigation.
>> 
>> On a clean install of CentOS 7.2 with IPA Client 4.4, /etc/krb5.conf.d/ is 
>> missing, and therefore initial setup will fail unless manual creation of 
>> /etc/krb5.conf.d/
>> Maybe the install script for the client can be updated to check for and 
>> create?
> 
> Is there a reason you're running 7.3 packages on a 7.2 system? I suspect
> that is the problem. AFAIU in 7.3 this directory is provided by krb5-libs.
> 
> Is there some feature you need in the 4.4 client installer on 7.2?
> 
> rob
> 
>> 
>> Thanks,
>> Alan
>> 
>>> On Jan 3, 2017, at 1:44 PM, Alan Latteri  
>>> wrote:
>>> 
>>> Thanks Rob.
>>> 
>>> /etc/krb5.conf.d/  was in fact missing from the client, which is still on 
>>> CentOS 7.2 for reasons out of our control.
>>> Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have 
>>> the /etc/krb5.conf.d/ directory, but are running fine.  So maybe the 4.4 
>>> client requires that dir but is not making it on upgrade and the cause of 
>>> the failure?
>>> 
>>> Alan
>>> 
 On Jan 3, 2017, at 1:25 PM, Rob Crittenden  wrote:
 
 Alan Latteri wrote:
> Log is attached.
 
 Look and see if /etc/krb5.conf.d/ and
 /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check
 for SELinux AVCs). I'm pretty sure this all runs as root so I doubt
 filesystem perms are an issue but who knows.
 
 You can also brute force things using strace -f to find out exactly what
 can't be read.
 
 rob
 
>>> 
>>> 
>>> -- 
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>> 
> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

[Alan Latteri]

Further investigation.

On a clean install of CentOS 7.2 with IPA Client 4.4, /etc/krb5.conf.d/ is 
missing, and therefore initial setup will fail unless manual creation of 
/etc/krb5.conf.d/
Maybe the install script for the client can be updated to check for and create?

Thanks,
Alan

> On Jan 3, 2017, at 1:44 PM, Alan Latteri  wrote:
> 
> Thanks Rob.
> 
> /etc/krb5.conf.d/  was in fact missing from the client, which is still on 
> CentOS 7.2 for reasons out of our control.
> Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have the 
> /etc/krb5.conf.d/ directory, but are running fine.  So maybe the 4.4 client 
> requires that dir but is not making it on upgrade and the cause of the 
> failure?
> 
> Alan
> 
>> On Jan 3, 2017, at 1:25 PM, Rob Crittenden  wrote:
>> 
>> Alan Latteri wrote:
>>> Log is attached.
>> 
>> Look and see if /etc/krb5.conf.d/ and
>> /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check
>> for SELinux AVCs). I'm pretty sure this all runs as root so I doubt
>> filesystem perms are an issue but who knows.
>> 
>> You can also brute force things using strace -f to find out exactly what
>> can't be read.
>> 
>> rob
>> 
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

[Alan Latteri]

Thanks Rob.

/etc/krb5.conf.d/  was in fact missing from the client, which is still on 
CentOS 7.2 for reasons out of our control.
Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have the 
/etc/krb5.conf.d/ directory, but are running fine.  So maybe the 4.4 client 
requires that dir but is not making it on upgrade and the cause of the failure?

Alan

> On Jan 3, 2017, at 1:25 PM, Rob Crittenden  wrote:
> 
> Alan Latteri wrote:
>> Log is attached.
> 
> Look and see if /etc/krb5.conf.d/ and
> /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check
> for SELinux AVCs). I'm pretty sure this all runs as root so I doubt
> filesystem perms are an issue but who knows.
> 
> You can also brute force things using strace -f to find out exactly what
> can't be read.
> 
> rob
> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

[Rob Crittenden]

Alan Latteri wrote:
> Log is attached.

Look and see if /etc/krb5.conf.d/ and
/var/lib/sss/pubconf/krb5.include.d exist and are readable (and check
for SELinux AVCs). I'm pretty sure this all runs as root so I doubt
filesystem perms are an issue but who knows.

You can also brute force things using strace -f to find out exactly what
can't be read.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

[Martin Babinsky]

On 01/02/2017 11:22 PM, Alan Latteri wrote:

I upgraded our FreeIPA server from Cent7.2 to 7.3 which also upgraded freeipa 
to 4.4.  On some clients they failed to re-authenticate post upgrade.  I then 
did an
ipa-client-install —uninstall , and then tried re-joining to IPA server with
ipa-client-install --mkhomedir --force-ntpd --force-join.

Now I am getting the below error, and I have no idea how to recover.  Firewall 
is disabled.

Thanks,
Alan

User authorized to enroll computers: admin
Password for admin@XXX.LOCAL:
Please make sure the following ports are opened in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly 
after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: kinit: Included profile directory could not be 
read while initializing Kerberos 5 library

Installation failed. Rolling back changes.
IPA client is not configured on this system.


[root@troll ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor 
preset: enabled)
   Active: inactive (dead)

Installed Packages
ipa-client.x86_64
4.4.0-14.el7.centos @updates
ipa-client-common.noarch 
4.4.0-14.el7.centos @updates
ipa-common.noarch
4.4.0-14.el7.centos @updates



Hi Alan,

it would be nice if you could post the client install log 
(/var/log/ipaclient-install.log). It is hard to tell what happens 
without seeing it.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project