During client enrollment via {{{ipa-client-install}}} the following excpetion is displayed and ignored after joining the host to IPA realm:
Discovery was successful! Client hostname: client1.ipa.test Realm: IPA.TEST DNS Domain: ipa.test IPA Server: master1.ipa.test BaseDN: dc=ipa,dc=test Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.TEST Issuer: CN=Certificate Authority,O=IPA.TEST Valid From: Mon Dec 14 09:30:10 2015 UTC Valid Until: Fri Dec 14 09:30:10 2035 UTC Enrolled in IPA realm IPA.TEST Exception gssapi.raw.exceptions.MissingCredentialsError: MissingCredentialsError(u'Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2865389599): Included profile file could not be read',) in 'gssapi.raw.creds.Creds.__dealloc__' ignored Created /etc/ipa/default.conf New SSSD config will be created ...
The installation otherwise completes succesfuly and client works normally. However, we should not let unhandled exceptions to bubble up to installer output, even if they are harmless.
This is bug in krb5 and was partially addressed (https://bugzilla.redhat.com/show_bug.cgi?id=1274150). There is also a BZ for proper fix (https://bugzilla.redhat.com/show_bug.cgi?id=1274424).
IIUC, solution for now is to upgrade krb5 and crypto-policy packages.
Metadata Update from @mbabinsk: - Issue assigned to dkupka - Issue set to the milestone: FreeIPA 4.3.1
Login to comment on this ticket.