View Issue Details

IDProjectCategoryView StatusLast Update
0000470AlmaLinux-8ipapublic2025-02-20 21:18
Reporteradelton Assigned To 
Status newResolutionopen 
Summary0000470: ipa-server-install fails with [error] RuntimeError: Failed to initialize kerberos container
DescriptionWhen running ipa-server-install in an AlmaLinux 8-based container, the process stops at

  [43/43]: restarting directory server
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/10]: adding kerberos container to the directory
  [2/10]: configuring KDC
  [3/10]: initialize kerberos container
  [error] RuntimeError: Failed to initialize kerberos container
Failed to initialize kerberos container
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

 The /var/log/ipaserver-install.log then ends with

2024-07-04T03:41:08Z DEBUG [3/10]: initialize kerberos container
2024-07-04T03:41:08Z DEBUG Starting external process
2024-07-04T03:41:08Z DEBUG args=['kdb5_util', 'create', '-s', '-r', 'EXAMPLE.TEST', '-x', 'ipa-setup-override-restrictions']
2024-07-04T03:41:08Z DEBUG Process finished, return code=1
2024-07-04T03:41:08Z DEBUG stdout=Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.TEST',
master key name 'K/M@EXAMPLE.TEST'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

2024-07-04T03:41:08Z DEBUG stderr=kdb5_util: Invalid argument while adding entries to the database

2024-07-04T03:41:08Z DEBUG kdb5_util failed with CalledProcessError(Command ['kdb5_util', 'create', '-s', '-r', 'EXAMPLE.TEST', '-x', 'ipa-setup-override-restrictions'] returned non-zero exit status 1: 'kdb5_util: Invalid argument while adding entries to the database\n')
2024-07-04T03:41:08Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/", line 358, in __init_ipa_kdb, nolog=(self.master_password,), stdin=''.join(dialogue))
  File "/usr/lib/python3.6/site-packages/ipapython/", line 600, in run
    p.returncode, arg_string, output_log, error_log
ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['kdb5_util', 'create', '-s', '-r', 'EXAMPLE.TEST', '-x', 'ipa-setup-override-restrictions'] returned non-zero exit status 1: 'kdb5_util: Invalid argument while adding entries to the database\n')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/", line 635, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/", line 621, in run_step
  File "/usr/lib/python3.6/site-packages/ipaserver/install/", line 361, in __init_ipa_kdb
    raise RuntimeError("Failed to initialize kerberos container")
RuntimeError: Failed to initialize kerberos container

2024-07-04T03:41:08Z DEBUG [error] RuntimeError: Failed to initialize kerberos container
2024-07-04T03:41:08Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/", line 180, in execute
    return_value =
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 344, in run
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 360, in run
    return self.execute()
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 386, in execute
    for rval in self._executor():
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 431, in __runner
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 460, in _handle_execute_exception
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 450, in _handle_exception
  File "/usr/lib/python3.6/site-packages/", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 421, in __runner
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 81, in run_generator_with_yield_from
  File "/usr/lib/python3.6/site-packages/", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 655, in _configure
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 431, in __runner
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 460, in _handle_execute_exception
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 518, in _handle_exception
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 450, in _handle_exception
  File "/usr/lib/python3.6/site-packages/", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 515, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 450, in _handle_exception
  File "/usr/lib/python3.6/site-packages/", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 421, in __runner
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 81, in run_generator_with_yield_from
  File "/usr/lib/python3.6/site-packages/", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/", line 566, in main
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/", line 278, in decorated
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/", line 893, in install
  File "/usr/lib/python3.6/site-packages/ipaserver/install/", line 215, in create_instance
  File "/usr/lib/python3.6/site-packages/ipaserver/install/", line 635, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/", line 621, in run_step
  File "/usr/lib/python3.6/site-packages/ipaserver/install/", line 361, in __init_ipa_kdb
    raise RuntimeError("Failed to initialize kerberos container")

2024-07-04T03:41:08Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Failed to initialize kerberos container
2024-07-04T03:41:08Z ERROR Failed to initialize kerberos container
2024-07-04T03:41:08Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

 This is with

# rpm -qf /usr/lib64/krb5/plugins/kdb/
Steps To ReproduceI believe that even on non-container installation, merely running

ipa-server-install -U -r EXAMPLE.TEST -n example.test -p Secret123 -a Secret123

should trigger the issue.

Alternatively, in a checkout directory of, run

docker=podman tests/ Dockerfile.almalinux-8
Additional InformationFirst reported in

The previous run which used ipa-server-4.9.13-9.module_el8.10.0+3844+20e075e5 worked fine.
TagsNo tags attached.



2024-07-10 14:30

reporter   ~0001051

I can confirm that the current release doesn't work on a host (non-container) installation and throws exactly the error shown above.
I can also confirm that the release before (4.9.13-9.module_el8.10.0+3844+20e075e5) does work fine.

It seems that one of the two security fixes is broken:
- 0027-kdb-fix-vulnerability-in-GCD-rules-handling.patch
- 0028-kdb-apply-combinatorial-logic-for-ticket-flags.patch

Taking a quick look I think it is related to patch 0027.

The changelog entry:
* Tue Apr 30 2024 Julien Rische <> - 4.9.13-10
- kdb: apply combinatorial logic for ticket flags (CVE-2024-3183)
  Resolves: RHEL-29927
- kdb: fix vulnerability in GCD rules handling (CVE-2024-2698)
  Resolves: RHEL-29692


2024-07-12 12:29

reporter   ~0001052

Update: The issue is caused by 0028-kdb-apply-combinatorial-logic-for-ticket-flags.patch


2024-07-15 14:32

reporter   ~0001053

The call of kdb5_util was NOT modified. With the older/working version and the new/broken version it is always
```kdb5_util create -s -r REALM.TLD -x ipa-setup-override-restrictions```
Hence the "Invalid argument while adding entries to the database" is just a follow-up error.


2024-07-16 17:00

reporter   ~0001055

A fresh RHEL 8 installation does not have this issue.

The kdb_util issue:
kdb5_util: MS-PAC generator: Local domain NT attributes not configured


2024-09-05 19:59

reporter   ~0001062

I also can confirm that versionlocking to ipa-server-4.9.13-9.module_el8.10.0+3844+20e075e5 allows this is install.


2024-12-09 18:22

administrator   ~0001093

Could you check now?
I can't reproduce this with ipa-server-4.9.13-12.module_el8.10.0+3877+de559448.x86_64


2025-02-20 21:18

reporter   ~0001111

The importation of almalinux accounts has apparently broken my ability to get update emails. So this is very late. While I cannot confirm ipa-server-4.9.13-12.module_el8.10.0+3877+de559448.x86_64 as working, I _can_ confirm ipa-server-4.9.13-14.module_el8.10.0+3942+63b39a46.x86_64 is working. And hopefully this ticket can now be resolved. Thanks!

Issue History

Date Modified Username Field Change
2024-07-04 03:52 adelton New Issue
2024-07-10 14:30 frank-bergmann Note Added: 0001051
2024-07-12 12:29 frank-bergmann Note Added: 0001052
2024-07-15 14:32 frank-bergmann Note Added: 0001053
2024-07-16 17:00 frank-bergmann Note Added: 0001055
2024-09-05 19:59 archaicx Note Added: 0001062
2024-12-09 18:22 alukoshko Note Added: 0001093
2025-02-20 21:18 archaicx Note Added: 0001111