[Freeipa-users] ipa-client-install: done remotely, DNS discovery and multiple servers

Tue May 7 20:50:21 UTC 2013

John Blaut wrote:
> Hi
>
> Since EL 6.4, executing ipa-client-install over SSH i.e. 'ssh <client>
> "ipa-client-install <params>"', results in an issue with the host
> certificate.
>
> The output returns the following error during the: 'ipa-getcert request
> -d /etc/pki/nssdb' stage:
>
> TLS: could not close certdb slot - error -8018:Unknown PKCS #11 error.
> TLS: could not shutdown NSS - error -8053:NSS could not shutdown
>
> The host certificate remains in state: 'status: NEED_CSR' when checking
> with ipa-getcert list

I'm not able to reproduce this.

You might try:

ipa-getcert resubmit -i <requestid> post-install to see if it goes out 
of NEED_CSR.

> In EL6.2 and EL6.3 this was not an issue.
> Perhaps you may reproduce this and advise.
> In order to work around this, I end up having to run ipa-client-install
> locally on the client.
>
> Also, with 6.4, thanks to the --fixed-primary switch we can now
> statically set specific IPA servers to use for a given client, instead
> of rely on DNS (SRV records) discovery. Before this feature we would
> need to patch the sssd.conf manually and restart SSSD, as
> ipa-client-install would remain stuck since the given client via SRV
> discovery would attempt using an IPA server it does not have access to.
> Now we longer have this issue, however ipa-client-install still picks
> the NTP server with which it should synchronize time during the
> enrolment process via DNS discovery. In the past ipa-client-install
> would 'give up' after 3 attempts or so, but now it keeps attempting
> until it encounters a reachable IPA NTP server. In an environment where
> there is a significant amount of IPA servers installed and distributed
> in different places where access is restricted by location, it can take
> some time until the reachable IPA/NTP server for a given client/location
> is found.
>
> A suggestion would be that if one goes for the --fixed-primary +
> --server options, then the omission of DNS discovery should not only
> apply to the IPA service but also for time synchronization. In most
> cases chances are that if one opts to use specific servers for IPA, one
> probably also wants to use specific servers for NTP. Or for added
> flexibility, provide another switch to select a specifc server to
> synchronize time with during the enrolment process. FYI, use of the
> --ntp-server switch does not prevent the enrolment process from using
> DNS discovery to synchronize the time. I suppose that switch is only
> used for setting the NTP server to use if one wishes to configure NTPD.
> (Besides not everyone opts to use NTPD on clients - some use an ntpdate
> job - so fixed-server time synchronization during enrolment should also
> be possible when using -N/--no-ntp)

We have a number of tickets against NTP. There is some amount of 
overlap, but it doesn't seem to cove everything.

Specifically tickets https://fedorahosted.org/freeipa/ticket/3092, 
https://fedorahosted.org/freeipa/ticket/2992 and 
https://fedorahosted.org/freeipa/ticket/1954

If we've missed anything any chance you can open a ticket (or tickets) 
for the new features?

> One last thing is that when using the --server option multiple times, it
> seems the order in sssd.conf is reversed. Example if I specify --server
> node1 --server node2, in sssd.conf I will end up with: ipa_server =
> node2, node1 Therefore I specify the servers to begin with in reverse
> order, in order to have them configured in the desired order.

Fixed upstream https://fedorahosted.org/freeipa/ticket/3418

regards

rob