7:02 a.m.
Centos 9 ipa-client install error:
Failed to obtain host TGT: Major (458752): No credentials were supplied, or the
credentials were unavailable or inaccessible, Minor (2529639122): Pre-authentication
failed: No key table entry found for host/ipaclient.dom.loc(a)DOM.LOC
----------------------------------------------
This program will set up IPA client.
Version 4.11.0
Client hostname: ipaclient.dom.loc
Realm: DOM.LOC
DNS Domain: dom.loc
IPA Server: ipa.dom.loc
BaseDN: dc=dom,dc=loc
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=DOM.LOC
Issuer: CN=Certificate Authority,O=DOM.LOC
Valid From: 2022-12-12 10:19:12+00:00
Valid Until: 2042-12-12 10:19:12+00:00
Enrolled in IPA realm DOM.LOC
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after
enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Failed to obtain host TGT: Major (458752): No credentials were supplied, or the
credentials were unavailable or inaccessible, Minor (2529639122): Pre-authentication
failed: No key table entry found for host/ipaclient.dom.loc(a)DOM.LOC
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
12:11 p.m.
Dmitry Krasov via FreeIPA-users wrote:
Centos 9 ipa-client install error:
Failed to obtain host TGT: Major (458752): No credentials were supplied, or the
credentials were unavailable or inaccessible, Minor (2529639122): Pre-authentication
failed: No key table entry found for host/ipaclient.dom.loc(a)DOM.LOC
----------------------------------------------
This program will set up IPA client.
Version 4.11.0
Client hostname: ipaclient.dom.loc
Realm: DOM.LOC
DNS Domain: dom.loc
IPA Server: ipa.dom.loc
BaseDN: dc=dom,dc=loc
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=DOM.LOC
Issuer: CN=Certificate Authority,O=DOM.LOC
Valid From: 2022-12-12 10:19:12+00:00
Valid Until: 2042-12-12 10:19:12+00:00
Enrolled in IPA realm DOM.LOC
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after
enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Failed to obtain host TGT: Major (458752): No credentials were supplied, or the
credentials were unavailable or inaccessible, Minor (2529639122): Pre-authentication
failed: No key table entry found for host/ipaclient.dom.loc(a)DOM.LOC
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
We need to see /var/log/ipaclient-install.log to be able to tell what is
going on.
Did you confirm that the mentioned ports are open to the client?
rob
3:13 a.m.
all ports available, selinux and firewalld disabled, iptables is empty.
ipaclient-install.log:
https://pastebin.com/nM0xkL16
3:49 a.m.
Hi,
The logs show you're using a non-admin user for enrollment and you are
probably hitting issue https://pagure.io/freeipa/issue/9496
It was fixed on multiple branches but not shipped in any official release
yet.
The pagure ticket provides a workaround, or you can enroll using the admin
user.
HTH,
flo
On Tue, Feb 20, 2024 at 10:13 AM Dmitry Krasov via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
all ports available, selinux and firewalld disabled, iptables is
empty.
ipaclient-install.log:
https://pastebin.com/nM0xkL16
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
5:57 a.m.
and tell me please, how to install ipa-client from git (step by step instructions will be
better)?
noon
Hi,
what is the version of your server? I am asking because of the log:
2024-02-20T09:59:52Z DEBUG args=['/usr/sbin/ipa-join', '-s',
'ipa.dom.loc',
'-b', 'dc=dom,dc=loc', '-h', 'centos9.dom.loc',
'-k', '/etc/krb5.keytab']
2024-02-20T09:59:53Z DEBUG Process finished, return code=0
2024-02-20T09:59:53Z DEBUG stdout=
2024-02-20T09:59:53Z DEBUG stderr=Failed to parse result: Failed to decode
GetKeytab Control.
Retrying with pre-4.0 keytab retrieval method...
Failed to retrieve encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC
(#18)
Failed to retrieve encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC
(#17)
Keytab successfully retrieved and stored in: /etc/krb5.keytab
flo
On Tue, Feb 20, 2024 at 12:57 PM Dmitry Krasov via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
and tell me please, how to install ipa-client from git (step by step
instructions will be better)?
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
11:13 p.m.
It's 4.3.1 and it's last version after ipa-server-upgrade.
Also, there is no error in few other OSs like ubuntu 22.04, or some other redhat based
OSs.
They enrolled successfully.
4:49 a.m.
Hi,
On Thu, Feb 22, 2024 at 10:42 AM Dmitry Krasov via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
probably it's because more high encrypt level in Centos. How to
make it
lower?
Can you try with (on the client):
update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY
reboot
flo
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
115
days inactive
121
days old
freeipa-users@lists.fedorahosted.org
10 comments
3 participants
participants (3)
-
Dmitry Krasov -
Florence Blanc-Renaud -
Rob Crittenden