Recently I came across an issue when trying to install the ipa-client on a server. After running ipa-client-install I would be getting the following error message, and it would roll back. However it would partially work as the server would show it was enrolled in the IPA Server, and I would then have to delete the server before trying again. Here is what I did for troubleshooting IPA in my environment.
Successfully retrieved CA cert Subject: CN=Certificate Authority,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Valid From: Tue Jul 11 19:13:50 2017 UTC Valid Until: Sat Jul 11 19:13:50 2037 UTC Enrolled in IPA realm EXAMPLE.COM Attempting to get host TGT... Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Installation failed. Rolling back changes.
Now, looking into it further I couldn’t see anything under /var/log for kerberos, so I looked at the one for ipa-client-install.log
# cat /var/log/ipa-client-install.log
In there I saw a message about how keytab contains no suitable keys for host/server@EXAMPLE.COM
stderr=kinit: Keytab contains no suitable keys for host/server@EXAMPLE.COM while getting initial credentials
Make sure the format of the entries in /etc/hosts are in the proper order of “IP FQDN Shortname”. Looking at the host file on the impacted servers I found that indeed they only had the
# vim /etc/hosts
10.0.0.1 server.example.com server
The install fails due to /etc/hosts entry not being in the proper order. The keytab the install is looking for is host/server@EXAMPLE.COM. The systems keytab is host/server.example.com@EXAMPLE.COM.
[root@server ~]# ipa-client install -d … args=/usr/bin/kinit -k -t /etc/krb5.keytab host/server@EXAMPLE.COM stdout= stderr=kinit: Keytab contains no suitable keys for host/server@EXAMPLE.COM while getting initial credentials Failed to obtain host TGT. Installation failed. Rolling back changes. IPA client is not configured on this system. [root@server ~]# klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ------------------------------------------------------- 2 08/24/16 08:10:14 host/server.example.com@EXAMPLE.COM 2 08/24/16 08:10:14 host/server.example.com@EXAMPLE.COM 2 08/24/16 08:10:14 host/server.example.com@EXAMPLE.COM 2 08/24/16 08:10:14 host/server.example.com@EXAMPLE.COM
It took some time to search these issues out, based on the output of the error message at first I thought it was a firewall issue. However, I was able to telnet to the IPA server with all the ports listed without issues. Therefore I began to think it wasn’t really a firewall issue and started looking for other vectors that could be preventing me from joining the IPA server successfully.
Once the host file was fixed, the installation and joining to the IPA server went through without a problem. If you end up having a similar issue in the future, hopefully, this will help you get through your problem.
If you have any questions or comments, please feel free to drop me an email or comment.
Ivan Windon – RHCSA