On 10/12/2017 01:32 PM, Rob Crittenden wrote:
Mark Haney via FreeIPA-users wrote:

That's a tough one. ipa-client-install makes many (a dozen?) connections while it does its thing.

You might try pre-generate the host entry and keytab, ship it to the machine, then use the --keytab option. ipa-join does less in that case though it would still be prone to failure. I'm not aware of a way to increase the TLS timeouts.

Not sure if your company policy will allow it but you could also manually (or puppet or ansible) configure the machine. You'd need to push in a keytab, krb5.conf, sssd.conf, etc. but using a CM mechanism it would at least be reproducible assuming those are more tolerant of the packet loss.


Yeah, I was afraid of that.  The really big issue is that even manually copying files of any size fails ~50% of the time.  I've not done a manual setup, but it might be the only way to get these working.  Personally, the fact I'm spending weeks working on this, when NO ONE on staff will ever log in using their IPA credentials is just silly and a waste of my (very well paid) time.  I appreciate the help and I'll work on a manual setup.

Maybe some holy water wouldn't be a bad idea.....

Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to