SSSD container fails to install with 401 HTTP error

Solution Verified - Updated -


During the installation of the containerised SSSD the ipa-client-install script fails

   [root@atomic ~]# atomic install rhel7/sssd              
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/
Initializing configuration context from host ...
Discovery was successful!
Client hostname: atomic.internal.local
DNS Domain: internal.local
IPA Server: ipa-atomic.internal.local
BaseDN: dc=internal,dc=local
Skipping synchronizing time with NTP server.
Downloading the CA certificate via HTTP, this is INSECURE
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=INTERNAL.LOCAL
    Issuer:      CN=Certificate Authority,O=INTERNAL.LOCAL
    Valid From:  Wed Jun 28 09:52:34 2017 UTC
    Valid Until: Sun Jun 28 09:52:34 2037 UTC

Joining realm failed: HTTP response code is 401, not 200

Use ipa-getkeytab to obtain a host principal for this server.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Failed to obtain host TGT: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639107): No credentials cache found

Installation failed. Force set so not rolling back changes.


  • Red Hat Enterprise Linux Atomic Host

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content