subject:"\[Freeipa\-users\] Re\: trying to retrieve CA cert via LDAP .... stuck"

[Freeipa-users] Re: trying to retrieve CA cert via LDAP .... stuck

2017-07-05 Thread Pieter Baele via FreeIPA-users

On Wed, Jul 5, 2017 at 7:28 PM Rob Crittenden  wrote:

> Pieter Baele via FreeIPA-users wrote:
> > No, only "fresh" and updated RHEL 7.3 hosts.
>
> Ok, you were the one that brought up re-installing...
>
> > Connections are being made, but still ipa-client install.
> > Can't wait forever on a solution of RH Support, they have/had no clue at
> > all, so I'll reinstall - yet the issue intrigues me a bit.
> Y
> You haven't provided any information here that would allow us to help.
>
> rob
>
>

Yes indeed, I was the one that brought up reinstalling 2 of our hosts.

I have a deadline, so there is no choice. Those are 2 management hosts we
need.
Also I never got a request, "please, this looks intriguing for us at well"

I could have reinstalled right away instead of trying to debug the ipa
registration process. But all my other 99% similar hosts registered without
a problem.
We lost precious time also because I had to explain that the engineer was
looking in the wrong direction. Not something a customer should do (!).

But I am still interested in what happened and in IPA in general, hope
there is nothing wrong with that?

Thats why I also submitted some limited information to the mailinglist.  It
is not the first time a mailinglist or IRC is more direct instead of
going to several support people first.

As demanded I provided an strace as well, and it was clear that the
freeipa-client-install was hanging at the point as explained before.

No explanations from logs and traces IMO.
The only thing that was changed on those 2 hosts was the hostname - but
BEFORE the install of the client. Which was also misunderstood by the
way

-- Pieter

> >
> > On Mon, Jul 3, 2017 at 4:53 PM Rob Crittenden  > > wrote:
> >
> > Pieter Baele via FreeIPA-users wrote:
> > > Hi,
> > >
> > > I've a weird problem with 2 hosts on ipa-client-install
> registration.
> > > All my servers are using a 99% alike kickstart profile.
> > >
> > > 8 hosts did their registration almost immediately (after submit of
> > admin)
> > >
> > > But on 2 servers I am stuck with:
> > > stderr=
> > > trying to retrieve CA cert via LDAP from 
> > >
> > > Any idea what the reason could be? I checked: DNS, firewall
> > > But all verifications and discovery before this step are
> successful.
> > >
> > > It's only possible I did a ipa-client-uninstall on those hosts
> before.
> > > (not 100% sure)
> > >
> >
> > Shouldn't matter unless you are running an ancient version of RHEL
> 6.x.
> >
> > I'd start with the 389-ds access log and the KDC log on the IPA
> master
> > and see if connections are being made at all, and with what results.
> >
> > rob
> >
> >
> >
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> >
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: trying to retrieve CA cert via LDAP .... stuck

2017-07-05 Thread Rob Crittenden via FreeIPA-users

Pieter Baele via FreeIPA-users wrote:
> No, only "fresh" and updated RHEL 7.3 hosts.

Ok, you were the one that brought up re-installing...

> Connections are being made, but still ipa-client install. 
> Can't wait forever on a solution of RH Support, they have/had no clue at
> all, so I'll reinstall - yet the issue intrigues me a bit.
Y
You haven't provided any information here that would allow us to help.

rob

> 
> 
> 
> 
> On Mon, Jul 3, 2017 at 4:53 PM Rob Crittenden  > wrote:
> 
> Pieter Baele via FreeIPA-users wrote:
> > Hi,
> >
> > I've a weird problem with 2 hosts on ipa-client-install registration.
> > All my servers are using a 99% alike kickstart profile.
> >
> > 8 hosts did their registration almost immediately (after submit of
> admin)
> >
> > But on 2 servers I am stuck with:
> > stderr=
> > trying to retrieve CA cert via LDAP from 
> >
> > Any idea what the reason could be? I checked: DNS, firewall
> > But all verifications and discovery before this step are successful.
> >
> > It's only possible I did a ipa-client-uninstall on those hosts before.
> > (not 100% sure)
> >
> 
> Shouldn't matter unless you are running an ancient version of RHEL 6.x.
> 
> I'd start with the 389-ds access log and the KDC log on the IPA master
> and see if connections are being made at all, and with what results.
> 
> rob
> 
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: trying to retrieve CA cert via LDAP .... stuck

2017-07-03 Thread Pieter Baele via FreeIPA-users

No, only "fresh" and updated RHEL 7.3 hosts.

Connections are being made, but still ipa-client install.
Can't wait forever on a solution of RH Support, they have/had no clue at
all, so I'll reinstall - yet the issue intrigues me a bit.




On Mon, Jul 3, 2017 at 4:53 PM Rob Crittenden  wrote:

> Pieter Baele via FreeIPA-users wrote:
> > Hi,
> >
> > I've a weird problem with 2 hosts on ipa-client-install registration.
> > All my servers are using a 99% alike kickstart profile.
> >
> > 8 hosts did their registration almost immediately (after submit of admin)
> >
> > But on 2 servers I am stuck with:
> > stderr=
> > trying to retrieve CA cert via LDAP from 
> >
> > Any idea what the reason could be? I checked: DNS, firewall
> > But all verifications and discovery before this step are successful.
> >
> > It's only possible I did a ipa-client-uninstall on those hosts before.
> > (not 100% sure)
> >
>
> Shouldn't matter unless you are running an ancient version of RHEL 6.x.
>
> I'd start with the 389-ds access log and the KDC log on the IPA master
> and see if connections are being made at all, and with what results.
>
> rob
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: trying to retrieve CA cert via LDAP .... stuck

2017-07-03 Thread Rob Crittenden via FreeIPA-users

Pieter Baele via FreeIPA-users wrote:
> Hi,
> 
> I've a weird problem with 2 hosts on ipa-client-install registration.
> All my servers are using a 99% alike kickstart profile.
> 
> 8 hosts did their registration almost immediately (after submit of admin)
> 
> But on 2 servers I am stuck with:
> stderr=
> trying to retrieve CA cert via LDAP from 
> 
> Any idea what the reason could be? I checked: DNS, firewall
> But all verifications and discovery before this step are successful.
> 
> It's only possible I did a ipa-client-uninstall on those hosts before.
> (not 100% sure)
> 

Shouldn't matter unless you are running an ancient version of RHEL 6.x.

I'd start with the 389-ds access log and the KDC log on the IPA master
and see if connections are being made at all, and with what results.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: trying to retrieve CA cert via LDAP .... stuck

[Freeipa-users] Re: trying to retrieve CA cert via LDAP .... stuck

[Freeipa-users] Re: trying to retrieve CA cert via LDAP .... stuck

[Freeipa-users] Re: trying to retrieve CA cert via LDAP .... stuck

4 matches

Site Navigation

Mail list logo

Footer information