ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
freeipa (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Zesty |
Fix Released
|
Undecided
|
Timo Aaltonen | ||
kerberos-configs (Debian) |
New
|
Unknown
|
Bug Description
[Impact]
ipa-client-install fails because it modifies /etc/krb5.conf to include /etc/krb5.conf.d which doesn't exist, so kinit fails.
The (temporary) fix is to add /etc/krb5.conf.d directory to freeipa-client.
[Test case]
Enroll an IPA client with ipa-client-install, it should pass.
[Regression potential]
None, this is a safe addition.
[original description]
Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with a COCKPIT.LAN domain (from the "ipa-*" image on https:/
$ sudo DEBIAN_
$ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf
$ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-
Discovery was successful!
Client hostname: autopkgtest
Realm: COCKPIT.LAN
DNS Domain: cockpit.lan
IPA Server: f0.cockpit.lan
BaseDN: dc=cockpit,dc=lan
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library
Installation failed. Rolling back changes.
IPA client is not configured on this system.
stracing shows that it tries to access /etc/krb5.conf.d/ which does not exist. mkdir'ing this is sufficient to fix it.
I'm not entirely sure if this is really in freeipa-client or krb5-user (kinit), but running "kinit -f <email address hidden>" directly succeeds.
ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: freeipa-client 4.4.3-3ubuntu2
ProcVersionSign
Uname: Linux 4.10.0-21-generic x86_64
ApportVersion: 2.20.4-0ubuntu4.1
Architecture: amd64
Date: Wed May 24 09:30:57 2017
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: freeipa
UpgradeStatus: No upgrade log present (probably fresh install)
Changed in kerberos-configs (Debian): | |
status: | Unknown → New |
the client install creates /etc/krb5.conf with "includedir /etc/krb5.conf.d/"
while creating that directory should be done by krb5-config, it was fixed in sid/artful by freeipa-client 4.4.4-1. mit-krb5 will add the directory after stretch is released
SRU for zesty would be in order, though