Mark Haney via FreeIPA-users wrote:
I appreciate all the ideas on how to fix the SSL cert issue on updating
to 4.5.0, I'll work on that next week I hope.
This one should be much quicker (hopefully). My boss has insisted that
I get ipa-clients working on a half-dozen or so servers located in
Alaska. (Believe me, I argued strenuously over this, but was told 'no
unicorns'.) I've got all but two working, though login times range from
1-5 minutes depending on the weather. These last two are on incredibly
unstable links, I've spent three weeks updating just the core packages
to get the ipa-client to /install/. We're talking average 20-30% packet
loss and an average download speed for updates of ~500B/s to 10kB/s.
They are satellite links, all of them, by the way.
That said, finished up getting one ready and this morning tried to join
the domain. It took about ten minutes and bombed with:
Joining realm failed: libcurl failed to execute the HTTP POST
transaction. timed out before SSL handshake
So, is there a way to up the timeout for this? I can up the timeout for
curl on the command line, but I don't think that would help with this
issue. Any ideas?
That's a tough one. ipa-client-install makes many (a dozen?) connections
while it does its thing.
You might try pre-generate the host entry and keytab, ship it to the
machine, then use the --keytab option. ipa-join does less in that case
though it would still be prone to failure. I'm not aware of a way to
increase the TLS timeouts.
Not sure if your company policy will allow it but you could also
manually (or puppet or ansible) configure the machine. You'd need to
push in a keytab, krb5.conf, sssd.conf, etc. but using a CM mechanism it
would at least be reproducible assuming those are more tolerant of the
packet loss.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
