My reply with the log output is pending moderator approval.

-Chris

Robbie Harwood via FreeIPA-users wrote:

Chris Moody via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:

2018-01-15T21:55:24Z INFO Configured /etc/krb5.conf for IPA realm
IPA.XYZ.COM
2018-01-15T21:55:24Z DEBUG Starting external process
2018-01-15T21:55:24Z DEBUG args=keyctl search @s user
ipa_session_cookie:host/sfca-do-1.xyz.com@IPA.XYZ.COM
2018-01-15T21:55:24Z DEBUG Process finished, return code=1
2018-01-15T21:55:24Z DEBUG stdout=
2018-01-15T21:55:24Z DEBUG stderr=keyctl_search: Required key not available

I'm not familiar with what IPA's trying to do here, but this looks like
a problem?  Can someone else comment?

This is perfectly normal. IPA stores the session cookie in the kernel
keyring. Given this is a new install there is no cookie to find.

I have tried manually setting /etc/krb5.conf to the contents that get>
generated & display during the verbose client-install process (as seen
above), that manually spell out the KDC details, and am able to run a
'kinit admin' just fine from the CLI on the client, so kerberos DOES
function from the client.  It talks to the KDC beautifully and
authenticates just fine... so I'm not sure how the client-install
process is getting confused/lost when trying to find/contact the KDC.

Someone else who knows more than me: how is the install different than a
normal kinit?

I think we'd need to see the full ipaclient-install.log.

rob