Red Hat SummitChapter 16. Troubleshooting IdM client installation
The following sections describe how to gather information about a failing IdM client installation, and how to resolve common installation issues.
16.1. Reviewing IdM client installation errors
When you install an Identity Management (IdM) client, debugging information is appended to /var/log/ipaclient-install.log. If a client installation fails, the installer logs the failure and rolls back changes to undo any modifications to the host. The reason for the installation failure may not be at the end of the log file, as the installer also logs the roll back procedure.
To troubleshoot a failing IdM client installation, review lines labeled ScriptError in the /var/log/ipaclient-install.log file and use this information to resolve any corresponding issues.
Prerequisites
-
You must have
rootprivileges to display the contents of IdM log files.
Procedure
Use the
greputility to retrieve any occurrences of the keywordScriptErrorfrom the/var/log/ipaserver-install.logfile.[user@server ~]$ sudo grep ScriptError /var/log/ipaclient-install.log [sudo] password for user: 2020-05-28T18:24:50Z DEBUG The ipa-client-install command failed, exception: ScriptError: One of password / principal / keytab is required.
To review a log file interactively, open the end of the log file using the
lessutility and use the ↑ and ↓ arrow keys to navigate.[user@server ~]$ sudo less -N +G /var/log/ipaclient-install.log
Additional resources
-
If you are unable to resolve a failing IdM client installation, and you have a Red Hat Technical Support subscription, open a Technical Support case at the Red Hat Customer Portal and provide an
sosreportof the client. -
The
sosreportutility collects configuration details, logs and system information from a RHEL system. For more information about thesosreportutility, see the Red Hat Knowledgebase solution What is an sosreport and how to create one in Red Hat Enterprise Linux?.
16.2. Resolving issues if the client installation fails to update DNS records
The IdM client installer issues nsupdate commands to create PTR, SSHFP, and additional DNS records. However, the installation process fails if the client is unable to update DNS records after installing and configuring the client software.
To fix this problem, verify the configuration and review DNS errors in /var/log/client-install.log.
Prerequisites
- You are using IdM DNS as the DNS solution for your IdM environment
Procedure
Ensure that dynamic updates for the DNS zone the client is in are enabled:
[user@server ~]$ ipa dnszone-mod idm.example.com. --dynamic-update=TRUEEnsure that the IdM server running the DNS service has port 53 opened for both TCP and UDP protocols.
[user@server ~]$ sudo firewall-cmd --permanent --add-port=53/tcp --add-port=53/udp [sudo] password for user: success [user@server ~]$ firewall-cmd --runtime-to-permanent success
Use the
greputility to retrieve the contents ofnsupdatecommands from/var/log/client-install.logto see which DNS record updates are failing.[user@server ~]$ sudo grep nsupdate /var/log/ipaclient-install.log
Additional resources
-
If you are unable to resolve a failing installation, and you have a Red Hat Technical Support subscription, open a Technical Support case at the Red Hat Customer Portal and provide an
sosreportof the client. -
The
sosreportutility collects configuration details, logs and system information from a RHEL system. For more information about thesosreportutility, see the Red Hat Knowledgebase solution What is an sosreport and how to create one in Red Hat Enterprise Linux?.
16.3. Resolving issues if the client installation fails to join the IdM Kerberos realm
The IdM client installation process fails if the client is unable to join the IdM Kerberos realm.
Joining realm failed: Failed to add key to the keytab child exited with 11 Installation failed. Rolling back changes.
This failure can be caused by an empty Kerberos keytab.
Prerequisites
-
Removing system files requires
rootprivileges.
Procedure
Remove
/etc/krb5.keytab.[user@client ~]$ sudo rm /etc/krb5.keytab [sudo] password for user: [user@client ~]$ ls /etc/krb5.keytab ls: cannot access '/etc/krb5.keytab': No such file or directory- Retry the IdM client installation.
Additional resources
-
If you are unable to resolve a failing installation, and you have a Red Hat Technical Support subscription, open a Technical Support case at the Red Hat Customer Portal and provide an
sosreportof the client. -
The
sosreportutility collects configuration details, logs and system information from a RHEL system. For more information about thesosreportutility, see the Red Hat Knowledgebase solution What is an sosreport and how to create one in Red Hat Enterprise Linux?.
16.4. Resolving issues if the client installation fails to configure automount
In RHEL 7, you could configure an automount location for your client during the client installation. In RHEL 8, running the ipa-client-install command with the --automount-location <raleigh> fails to configure the automount location. However, as the rest of the installation is successful, running /usr/sbin/ipa-client-automount <raleigh> after the installation configures an automount location for the client correctly.
Prerequisites
With the exception of configuring an automount location, the IdM client installation proceeded correctly. The CLI output was:
The ipa-client-install command was successful.
Procedure
Configure the automount location:
/usr/sbin/ipa-client-automount -U --location <raleigh>
Additional resources
-
man
ipa-client-automount
16.5. Additional resources
- To troubleshoot installing the first IdM server, see Troubleshooting IdM server installation.
- To troubleshoot installing an IdM replica, see Troubleshooting IdM replica installation.
