← Back to team overview

freeipa team mailing list archive

  1. freeipa team
  2. Mailing list archive
  3. Message #00457

[Bug 1693154] [NEW] ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS)
wrt. joining a FreeIPA kerberos server. I am running a server on
10.111.112.100 with a COCKPIT.LAN domain (from the "ipa-*" image on
https://fedorapeople.org/groups/cockpit/images/), and realmd.service
fails. Running ipa-client-install manually shows why:

$ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd sssd-tools packagekit
$ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf

$ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd -w foobarfoo
Discovery was successful!
Client hostname: autopkgtest
Realm: COCKPIT.LAN
DNS Domain: cockpit.lan
IPA Server: f0.cockpit.lan
BaseDN: dc=cockpit,dc=lan

Synchronizing time with KDC...
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

Installation failed. Rolling back changes.
IPA client is not configured on this system.


stracing shows that it tries to access /etc/krb5.conf.d/ which does not exist. mkdir'ing this is sufficient to fix it.

I'm not entirely sure if this is really in freeipa-client or krb5-user
(kinit), but running "kinit -f admin@xxxxxxxxxxx" directly succeeds.

ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: freeipa-client 4.4.3-3ubuntu2
ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
Uname: Linux 4.10.0-21-generic x86_64
ApportVersion: 2.20.4-0ubuntu4.1
Architecture: amd64
Date: Wed May 24 09:30:57 2017
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: freeipa
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: freeipa (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug zesty

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1693154

Title:
  ipa-client-install fails: kinit: Included profile directory could not
  be read while initializing Kerberos 5 library

Status in freeipa package in Ubuntu:
  New

Bug description:
  Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS)
  wrt. joining a FreeIPA kerberos server. I am running a server on
  10.111.112.100 with a COCKPIT.LAN domain (from the "ipa-*" image on
  https://fedorapeople.org/groups/cockpit/images/), and realmd.service
  fails. Running ipa-client-install manually shows why:

  $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd sssd-tools packagekit
  $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf

  $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd -w foobarfoo
  Discovery was successful!
  Client hostname: autopkgtest
  Realm: COCKPIT.LAN
  DNS Domain: cockpit.lan
  IPA Server: f0.cockpit.lan
  BaseDN: dc=cockpit,dc=lan

  Synchronizing time with KDC...
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
  Please make sure the following ports are opened in the firewall settings:
       TCP: 80, 88, 389
       UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
  Also note that following ports are necessary for ipa-client working properly after enrollment:
       TCP: 464
       UDP: 464, 123 (if NTP enabled)
  Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

  Installation failed. Rolling back changes.
  IPA client is not configured on this system.

  
  stracing shows that it tries to access /etc/krb5.conf.d/ which does not exist. mkdir'ing this is sufficient to fix it.

  I'm not entirely sure if this is really in freeipa-client or krb5-user
  (kinit), but running "kinit -f admin@xxxxxxxxxxx" directly succeeds.

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: freeipa-client 4.4.3-3ubuntu2
  ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
  Uname: Linux 4.10.0-21-generic x86_64
  ApportVersion: 2.20.4-0ubuntu4.1
  Architecture: amd64
  Date: Wed May 24 09:30:57 2017
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1693154/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next