Mark Haney wrote:
On 10/12/2017 01:32 PM, Rob Crittenden wrote:
Mark Haney via FreeIPA-users wrote:

That's a tough one. ipa-client-install makes many (a dozen?)
connections while it does its thing.

You might try pre-generate the host entry and keytab, ship it to the
machine, then use the --keytab option. ipa-join does less in that case
though it would still be prone to failure. I'm not aware of a way to
increase the TLS timeouts.

Not sure if your company policy will allow it but you could also
manually (or puppet or ansible) configure the machine. You'd need to
push in a keytab, krb5.conf, sssd.conf, etc. but using a CM mechanism
it would at least be reproducible assuming those are more tolerant of
the packet loss.


Yeah, I was afraid of that.  The really big issue is that even manually
copying files of any size fails ~50% of the time.  I've not done a
manual setup, but it might be the only way to get these working.
Personally, the fact I'm spending weeks working on this, when NO ONE on
staff will ever log in using their IPA credentials is just silly and a
waste of my (very well paid) time.  I appreciate the help and I'll work
on a manual setup.

Maybe some holy water wouldn't be a bad idea.....

On the bright side if anyone were ever to log into the machines then the sssd cache would likely make it far easier on subsequent attempts.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to