#5548 ipa-client-install: gssapi.raw.exceptions.MissingCredentialsError after succesful enrollment
Closed: Invalid None Opened 8 years ago by mbabinsk.

During client enrollment via {{{ipa-client-install}}} the following excpetion is displayed and ignored after joining the host to IPA realm:

Discovery was successful!
Client hostname: client1.ipa.test
Realm: IPA.TEST
DNS Domain: ipa.test
IPA Server: master1.ipa.test
BaseDN: dc=ipa,dc=test
Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Synchronizing time with KDC...
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=IPA.TEST
    Issuer:      CN=Certificate Authority,O=IPA.TEST
    Valid From:  Mon Dec 14 09:30:10 2015 UTC
    Valid Until: Fri Dec 14 09:30:10 2035 UTC

Enrolled in IPA realm IPA.TEST
Exception gssapi.raw.exceptions.MissingCredentialsError: MissingCredentialsError(u'Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2865389599): Included profile file could not be read',) in 'gssapi.raw.creds.Creds.__dealloc__' ignored
Created /etc/ipa/default.conf
New SSSD config will be created
...

The installation otherwise completes succesfuly and client works normally. However, we should not let unhandled exceptions to bubble up to installer output, even if they are harmless.


This is bug in krb5 and was partially addressed (https://bugzilla.redhat.com/show_bug.cgi?id=1274150). There is also a BZ for proper fix (https://bugzilla.redhat.com/show_bug.cgi?id=1274424).

IIUC, solution for now is to upgrade krb5 and crypto-policy packages.

Metadata Update from @mbabinsk:
- Issue assigned to dkupka
- Issue set to the milestone: FreeIPA 4.3.1

7 years ago

Login to comment on this ticket.

Metadata