[CentOS] FreeIPA - client/replica errors

Tue Jan 9 19:32:58 UTC 2018
lejeczek <peljasz at yahoo.co.uk>

hi, free IPA everyone?

I wanted to ask if you maybe seen below errors. I'm trying 
regular:

$ ipa-client-install --principal=admin 
--password="ccnR.Biotec13#diradm" --enable-dns-updates

and it fails:
...

    Valid From:  2018-01-09 16:51:35
     Valid Until: 2038-01-09 16:51:35

Enrolled in IPA realm PRIVATE.CCNR.CEB.PRIVATE.CAM.AC.UK
Please make sure the following ports are opened in the 
firewall settings:
      TCP: 80, 88, 389
      UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client 
working properly after enrollment:
      TCP: 464
      UDP: 464, 123 (if NTP enabled)
Failed to obtain host TGT: Major (851968): Unspecified GSS 
failure. Minor code may provide more information, Minor 
(2529638936): Preauthentication failed
Installation failed. Rolling back changes.
Unconfigured automount client failed: Command 
'ipa-client-automount --uninstall --debug' returned non-zero 
exit status 1
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was 
moved to /etc/sssd/sssd.conf.deleted
Client uninstall complete.
The ipa-client-install command failed. See 
/var/log/ipaclient-install.log for more information

It's not time sync problem, server & client candidate are in 
sync. Simple install, server installed okey but client fails 
as above.

Does your IPA VERSION: 4.5.0, API_VERSION: 2.228 install 
okey, with no problems?

many thanks, L.