John Blaut wrote:
Hi

Since EL 6.4, executing ipa-client-install over SSH i.e. 'ssh <client>
"ipa-client-install <params>"', results in an issue with the host
certificate.

The output returns the following error during the: 'ipa-getcert request
-d /etc/pki/nssdb' stage:

TLS: could not close certdb slot - error -8018:Unknown PKCS #11 error.
TLS: could not shutdown NSS - error -8053:NSS could not shutdown

The host certificate remains in state: 'status: NEED_CSR' when checking
with ipa-getcert list

I'm not able to reproduce this.

You might try:

ipa-getcert resubmit -i <requestid> post-install to see if it goes out of NEED_CSR.

In EL6.2 and EL6.3 this was not an issue.
Perhaps you may reproduce this and advise.
In order to work around this, I end up having to run ipa-client-install
locally on the client.

Also, with 6.4, thanks to the --fixed-primary switch we can now
statically set specific IPA servers to use for a given client, instead
of rely on DNS (SRV records) discovery. Before this feature we would
need to patch the sssd.conf manually and restart SSSD, as
ipa-client-install would remain stuck since the given client via SRV
discovery would attempt using an IPA server it does not have access to.
Now we longer have this issue, however ipa-client-install still picks
the NTP server with which it should synchronize time during the
enrolment process via DNS discovery. In the past ipa-client-install
would 'give up' after 3 attempts or so, but now it keeps attempting
until it encounters a reachable IPA NTP server. In an environment where
there is a significant amount of IPA servers installed and distributed
in different places where access is restricted by location, it can take
some time until the reachable IPA/NTP server for a given client/location
is found.

A suggestion would be that if one goes for the --fixed-primary +
--server options, then the omission of DNS discovery should not only
apply to the IPA service but also for time synchronization. In most
cases chances are that if one opts to use specific servers for IPA, one
probably also wants to use specific servers for NTP. Or for added
flexibility, provide another switch to select a specifc server to
synchronize time with during the enrolment process. FYI, use of the
--ntp-server switch does not prevent the enrolment process from using
DNS discovery to synchronize the time. I suppose that switch is only
used for setting the NTP server to use if one wishes to configure NTPD.
(Besides not everyone opts to use NTPD on clients - some use an ntpdate
job - so fixed-server time synchronization during enrolment should also
be possible when using -N/--no-ntp)

We have a number of tickets against NTP. There is some amount of overlap, but it doesn't seem to cove everything.

Specifically tickets https://fedorahosted.org/freeipa/ticket/3092, https://fedorahosted.org/freeipa/ticket/2992 and https://fedorahosted.org/freeipa/ticket/1954

If we've missed anything any chance you can open a ticket (or tickets) for the new features?

One last thing is that when using the --server option multiple times, it
seems the order in sssd.conf is reversed. Example if I specify --server
node1 --server node2, in sssd.conf I will end up with: ipa_server =
node2, node1 Therefore I specify the servers to begin with in reverse
order, in order to have them configured in the desired order.

Fixed upstream https://fedorahosted.org/freeipa/ticket/3418

regards

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to