Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 16. Troubleshooting IdM client installation

Diagnose and resolve Identity Management (IdM) client installation failures to ensure successful domain enrollment. Gather diagnostic information and apply solutions for common installation issues.

16.1. Reviewing IdM client installation errors
Copy link

Review Identity Management (IdM) client installation log files to identify and troubleshoot deployment failures.

If a client installation fails, the installer logs the failure and rolls back changes to undo any modifications to the host. The reason for the installation failure may not be at the end of the log file, as the installer also logs the roll back procedure.

To troubleshoot a failing IdM client installation, review lines labeled ScriptError in the /var/log/ipaclient-install.log file and use this information to resolve any corresponding issues.

Prerequisites

  • You must have root privileges to display the contents of IdM log files.

Procedure

  1. Use the grep utility to retrieve any occurrences of the keyword ScriptError from the /var/log/ipaserver-install.log file. 

    [user@server ~]$ sudo grep ScriptError /var/log/ipaclient-install.log
    Copy to Clipboard Toggle word wrap 
    [sudo] password for user:
2020-05-28T18:24:50Z DEBUG The ipa-client-install command failed, exception: ScriptError: One of password / principal / keytab is required.
    Copy to Clipboard Toggle word wrap

  2. To review a log file interactively, open the end of the log file using the less utility and use the and arrow keys to navigate. 

    [user@server ~]$ sudo less -N +G /var/log/ipaclient-install.log
    Copy to Clipboard Toggle word wrap

Enable dynamic DNS updates and open required firewall ports to resolve Identity Management (IdM) client DNS record creation failures.

The IdM client installer issues nsupdate commands to create PTR, SSHFP, and additional DNS records. However, the installation process fails if the client is unable to update DNS records after installing and configuring the client software.

To fix this problem, verify the configuration and review DNS errors in /var/log/client-install.log.

Prerequisites

  • You are using IdM DNS as the DNS solution for your IdM environment

Procedure

  1. Ensure that dynamic updates for the DNS zone the client is in are enabled: 

    [user@server ~]$ ipa dnszone-mod idm.example.com. --dynamic-update=TRUE
    Copy to Clipboard Toggle word wrap

  2. Ensure that the IdM server running the DNS service has port 53 opened for both TCP and UDP protocols. 

    [user@server ~]$ sudo firewall-cmd --permanent --add-port=53/tcp --add-port=53/udp
    Copy to Clipboard Toggle word wrap 
    [sudo] password for user:
success
    Copy to Clipboard Toggle word wrap 
    [user@server ~]$ firewall-cmd --runtime-to-permanent
    Copy to Clipboard Toggle word wrap 
    success
    Copy to Clipboard Toggle word wrap

  3. Use the grep utility to retrieve the contents of nsupdate commands from /var/log/client-install.log to see which DNS record updates are failing. 

    [user@server ~]$ sudo grep nsupdate /var/log/ipaclient-install.log
    Copy to Clipboard Toggle word wrap

Remove corrupted Kerberos keytabs to resolve Identity Management (IdM) client installation failures when joining the Kerberos realm. 

Joining realm failed: Failed to add key to the keytab
child exited with 11

Installation failed. Rolling back changes.
Copy to Clipboard Toggle word wrap

This failure can be caused by an empty Kerberos keytab.

Prerequisites

  • Removing system files requires root privileges.

Procedure

  1. Remove /etc/krb5.keytab. 

    [user@client ~]$ sudo rm /etc/krb5.keytab
    Copy to Clipboard Toggle word wrap 
    [sudo] password for user:
    Copy to Clipboard Toggle word wrap 
    [user@client ~]$ ls /etc/krb5.keytab
    Copy to Clipboard Toggle word wrap 
    ls: cannot access '/etc/krb5.keytab': No such file or directory
    Copy to Clipboard Toggle word wrap
  2. Retry the IdM client installation.

Configure automount locations for Identity Management (IdM) clients after installation to enable automatic mounting of network file systems.

Run /usr/sbin/ipa-client-automount <raleigh> after a successful installation to configure an automount location for the client correctly.

Prerequisites

  • With the exception of configuring an automount location, the IdM client installation proceeded correctly. The CLI output was: 

    The ipa-client-install command was successful.
    Copy to Clipboard Toggle word wrap

Procedure

  • Configure the automount location: 

    /usr/sbin/ipa-client-automount -U --location <raleigh>
    Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top