Troubleshooting IPA Client issues

Troubleshooting IPA

Recently I came across an issue when trying to install the ipa-client on a server.  After running ipa-client-install I would getting the following error message, and it would roll back.  However it would partially work as the server would show it was enrolled in the IPA Server, and I would then have to delete the server before trying again.  Here is what I did for troubleshooting IPA in my environment.

Now, looking into it further I couldn’t see anything under /var/log for kerberos, so I looked at the one for ipa-client-install.log

In there I saw a message about how keytab contains no suitable keys for host/server@EXAMPLE.COM


Make sure the format of the entries in /etc/hosts are in the proper order of “IP FQDN Shortname”.  Looking at the host file on the impacted servers I found that indeed they only had the shortname rather than starting with the FQDN.  So I made the needed change.

Root Cause

The install fails due to /etc/hosts entry not being in the proper order. The keytab the install is looking for is host/server@EXAMPLE.COM. The systems keytab is host/

Diagnostic Steps

It took some time to search these issues out, based on the output of the error message at first I thought it was a firewall issue.  However I was able to telnet to the IPA server with all the ports listed without issues.  Therefore I began to think it wasn’t really a firewall issue and started looking for other vectors that could be preventing me from joining the IPA server successfully.

Once the host file was fixed, the installation and joining to the IPA server went through without a problem.  If you end up having a similar issue in the future, hopefully this will help you get through your problem.

If you have any questions or comments, please feel free to drop me an email or comment.


Ivan WindonRHCSA

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. Pingback: IPA Server | Cannot create reverse record for DNS reverse zone for IP address is not managed by this server | The Root User