Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 16. Troubleshooting IdM client installation

The following sections describe how to gather information about a failing IdM client installation, and how to resolve common installation issues.

16.1. Reviewing IdM client installation errors

When you install an Identity Management (IdM) client, debugging information is appended to /var/log/ipaclient-install.log. If a client installation fails, the installer logs the failure and rolls back changes to undo any modifications to the host. The reason for the installation failure may not be at the end of the log file, as the installer also logs the roll back procedure.

To troubleshoot a failing IdM client installation, review lines labeled ScriptError in the /var/log/ipaclient-install.log file and use this information to resolve any corresponding issues.

Prerequisites

  • You must have root privileges to display the contents of IdM log files.

Procedure

  1. Use the grep utility to retrieve any occurrences of the keyword ScriptError from the /var/log/ipaserver-install.log file. 

    [user@server ~]$ sudo grep ScriptError /var/log/ipaclient-install.log
[sudo] password for user:
2020-05-28T18:24:50Z DEBUG The ipa-client-install command failed, exception: ScriptError: One of password / principal / keytab is required.

  2. To review a log file interactively, open the end of the log file using the less utility and use the and arrow keys to navigate. 

    [user@server ~]$ sudo less -N +G /var/log/ipaclient-install.log

Additional resources

16.2. Resolving issues if the client installation fails to update DNS records

The IdM client installer issues nsupdate commands to create PTR, SSHFP, and additional DNS records. However, the installation process fails if the client is unable to update DNS records after installing and configuring the client software.

To fix this problem, verify the configuration and review DNS errors in /var/log/client-install.log.

Prerequisites

  • You are using IdM DNS as the DNS solution for your IdM environment

Procedure

  1. Ensure that dynamic updates for the DNS zone the client is in are enabled: 

    [user@server ~]$ ipa dnszone-mod idm.example.com. --dynamic-update=TRUE

  2. Ensure that the IdM server running the DNS service has port 53 opened for both TCP and UDP protocols. 

    [user@server ~]$ sudo firewall-cmd --permanent --add-port=53/tcp --add-port=53/udp
[sudo] password for user:
success
[user@server ~]$ firewall-cmd --runtime-to-permanent
success

  3. Use the grep utility to retrieve the contents of nsupdate commands from /var/log/client-install.log to see which DNS record updates are failing. 

    [user@server ~]$ sudo grep nsupdate /var/log/ipaclient-install.log

Additional resources

16.3. Resolving issues if the client installation fails to join the IdM Kerberos realm

The IdM client installation process fails if the client is unable to join the IdM Kerberos realm. 

Joining realm failed: Failed to add key to the keytab
child exited with 11

Installation failed. Rolling back changes.

This failure can be caused by an empty Kerberos keytab.

Prerequisites

  • Removing system files requires root privileges.

Procedure

  1. Remove /etc/krb5.keytab. 

    [user@client ~]$ sudo rm /etc/krb5.keytab
[sudo] password for user:
[user@client ~]$ ls /etc/krb5.keytab
ls: cannot access '/etc/krb5.keytab': No such file or directory
  2. Retry the IdM client installation.

Additional resources

16.4. Additional resources