My reply with the log output is pending moderator approval.
-Chris
Robbie Harwood via FreeIPA-users wrote:Chris Moody via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes:2018-01-15T21:55:24Z INFO Configured /etc/krb5.conf for IPA realm IPA.XYZ.COM 2018-01-15T21:55:24Z DEBUG Starting external process 2018-01-15T21:55:24Z DEBUG args=keyctl search @s user ipa_session_cookie:host/sfca-do-1.xyz.com@IPA.XYZ.COM 2018-01-15T21:55:24Z DEBUG Process finished, return code=1 2018-01-15T21:55:24Z DEBUG stdout= 2018-01-15T21:55:24Z DEBUG stderr=keyctl_search: Required key not availableI'm not familiar with what IPA's trying to do here, but this looks like a problem? Can someone else comment?This is perfectly normal. IPA stores the session cookie in the kernel keyring. Given this is a new install there is no cookie to find.I have tried manually setting /etc/krb5.conf to the contents that get> generated & display during the verbose client-install process (as seen above), that manually spell out the KDC details, and am able to run a 'kinit admin' just fine from the CLI on the client, so kerberos DOES function from the client. It talks to the KDC beautifully and authenticates just fine... so I'm not sure how the client-install process is getting confused/lost when trying to find/contact the KDC.Someone else who knows more than me: how is the install different than a normal kinit?I think we'd need to see the full ipaclient-install.log. rob