[Freeipa-users] kinit working, but ipa-client-install not (client not found)

Discussion:

Pieter Baele

2011-06-23 13:26:33 UTC

My new freeipa installation is working (server + kinit on a host where
I configured krb5.conf manually)
but ipa-client-install gives the typical Kerberos error:

kinit: Client not found in Kerberos database while getting initial credentials

Both hosts are resolvable

Stephen Gallagher

2011-06-23 16:27:01 UTC

Permalink

Post by Pieter Baele
My new freeipa installation is working (server + kinit on a host where
I configured krb5.conf manually)
kinit: Client not found in Kerberos database while getting initial credentials
Both hosts are resolvable

What are you passing to ipa-client-install? You need to make sure you've
specified -p <admin principal> and -W in order to get the appropriate
credentials.

Rob Crittenden

2011-06-23 17:59:27 UTC

Permalink

I'd suggest looking at /var/log/krb5kdc.log on the server after trying a
kinit. This should tell you the name it is trying to resolve.

rob

Pieter Baele

2011-06-24 08:28:41 UTC

Permalink

Post by Rob Crittenden

I'd suggest looking at /var/log/krb5kdc.log on the server after trying a
kinit. This should tell you the name it is trying to resolve.
rob

About this issue, nothing is logged in /var/log/krb5kdc.log.....

I used this command now:
ipa-client-install --server ipa1.example.org --domain example.org -p
pieterb -W -d

User 'pieterb' exists and has admin privileges

Password for ***@EXAMPLE.ORG
root : DEBUG args=kinit ***@EXAMPLE.ORG
root : DEBUG stdout=
root : DEBUG stderr=kinit: Client not found in Kerberos
database while getting initial credentials

root : DEBUG args=kdestroy
root : DEBUG stdout=
root : DEBUG stderr=kdestroy: No credentials cache found
while destroying cache

kinit: Client not found in Kerberos database while getting initial credentials

Martin Kosek

2011-06-24 12:37:08 UTC

Permalink

Post by Pieter Baele

Post by Rob Crittenden

I'd suggest looking at /var/log/krb5kdc.log on the server after trying a
kinit. This should tell you the name it is trying to resolve.
rob

About this issue, nothing is logged in /var/log/krb5kdc.log.....
ipa-client-install --server ipa1.example.org --domain example.org -p
pieterb -W -d
User 'pieterb' exists and has admin privileges
root : DEBUG stdout=
root : DEBUG stderr=kinit: Client not found in Kerberos
database while getting initial credentials
root : DEBUG args=kdestroy
root : DEBUG stdout=
root : DEBUG stderr=kdestroy: No credentials cache found
while destroying cache
kinit: Client not found in Kerberos database while getting initial credentials

Is pieterb a user you added in your IPA server or its just in your local
master machine local files (/etc/passwd)? I.e. can you run `ipa
user-show pieterb`?

What if you run ipa-client-install with "-p admin" instead of "-p
pieterb" - does it work?

Martin

Rob Crittenden

2011-06-24 12:48:12 UTC

Permalink

Post by Pieter Baele

Post by Rob Crittenden

I'd suggest looking at /var/log/krb5kdc.log on the server after trying a
kinit. This should tell you the name it is trying to resolve.
rob

If you aren't seeing anything in the kerberos logs I wonder if this is
talking to the wrong KDC. ipa-client-install should include a copy of
the krb5.conf it is using, does it match your working manual install?

rob