[Freeipa-users] ipa-client-install: done remotely, DNS discovery and multiple servers
John Blaut
john.blaut at gmail.com
Tue May 7 20:26:48 UTC 2013
Hi
Since EL 6.4, executing ipa-client-install over SSH i.e. 'ssh <client>
"ipa-client-install <params>"', results in an issue with the host
certificate.
The output returns the following error during the: 'ipa-getcert request -d
/etc/pki/nssdb' stage:
TLS: could not close certdb slot - error -8018:Unknown PKCS #11 error.
TLS: could not shutdown NSS - error -8053:NSS could not shutdown
The host certificate remains in state: 'status: NEED_CSR' when checking
with ipa-getcert list
In EL6.2 and EL6.3 this was not an issue.
Perhaps you may reproduce this and advise.
In order to work around this, I end up having to run ipa-client-install
locally on the client.
Also, with 6.4, thanks to the --fixed-primary switch we can now statically
set specific IPA servers to use for a given client, instead of rely on DNS
(SRV records) discovery. Before this feature we would need to patch the
sssd.conf manually and restart SSSD, as ipa-client-install would remain
stuck since the given client via SRV discovery would attempt using an IPA
server it does not have access to. Now we longer have this issue, however
ipa-client-install still picks the NTP server with which it should
synchronize time during the enrolment process via DNS discovery. In the
past ipa-client-install would 'give up' after 3 attempts or so, but now it
keeps attempting until it encounters a reachable IPA NTP server. In an
environment where there is a significant amount of IPA servers installed
and distributed in different places where access is restricted by location,
it can take some time until the reachable IPA/NTP server for a given
client/location is found.
A suggestion would be that if one goes for the --fixed-primary + --server
options, then the omission of DNS discovery should not only apply to the
IPA service but also for time synchronization. In most cases chances are
that if one opts to use specific servers for IPA, one probably also wants
to use specific servers for NTP. Or for added flexibility, provide another
switch to select a specifc server to synchronize time with during the
enrolment process. FYI, use of the --ntp-server switch does not prevent the
enrolment process from using DNS discovery to synchronize the time. I
suppose that switch is only used for setting the NTP server to use if one
wishes to configure NTPD. (Besides not everyone opts to use NTPD on clients
- some use an ntpdate job - so fixed-server time synchronization during
enrolment should also be possible when using -N/--no-ntp)
One last thing is that when using the --server option multiple times, it
seems the order in sssd.conf is reversed. Example if I specify --server
node1 --server node2, in sssd.conf I will end up with: ipa_server = node2,
node1 Therefore I specify the servers to begin with in reverse order, in
order to have them configured in the desired order.
Regards
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130507/b76a8346/attachment.htm>
More information about the Freeipa-users
mailing list