We have 3 IPA servers that are fully synced up. When registering client via command 'ipa-client-install -N --mkhomedir', it fails on one IPA server but works on the other 2. The error message we're getting is: "No valid Negotiate header in server response The ipa-client-install command failed."
Client fails to register
Client will successfully register
ipa-server-4.6.8-5.el7.centos.10.x86_64 ipa-client-4.6.8-5.el7.centos.10.x86_64 389-ds-base-1.3.10.2-14.el7_9.x86_64 pki-ca-10.5.18-19.el7_9.noarch krb5-server-1.15.1-51.el7_9.x86_64
Registration seem to be working when we use ipa-client-command with additional parameters: ipa-client-install --hostname=hostname -f --mkhomedir --domain <domain> --no-ntp -v
hostname -f
FreeIPA issue tracker is not a support service. Please use freeipa-users@ mailing list for a community support. Issue tracker is used to track defects that need fixes in upstream code. Since upstream does not anymore support FreeIPA 4.6 version directly, it makes no sense to open tickets related to possible misconfiguration here.
I would recommend you to read through this thread: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/PVRGGNYXLSQGSS7XQQFO7MBEFQETZA6D/
While a specific configuration there reflects RHEL8, the only difference is a use of ccache sweeper and a particular mod_auth_gssapi configuration setting that I mention there in my response. If you have an error message with 'No valid Negotiate header in server response', it most likely related to the issues with access controls of the backing files/directories as explained in the thread.
mod_auth_gssapi
Metadata Update from @abbra: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.