Hi,
I've a weird problem with 2 hosts on ipa-client-install registration. All my servers are using a 99% alike kickstart profile.
8 hosts did their registration almost immediately (after submit of admin)
But on 2 servers I am stuck with: stderr= trying to retrieve CA cert via LDAP from ....
Any idea what the reason could be? I checked: DNS, firewall But all verifications and discovery before this step are successful.
It's only possible I did a ipa-client-uninstall on those hosts before. (not 100% sure)
Sincerely Pieter
Pieter Baele via FreeIPA-users wrote:
Hi,
I've a weird problem with 2 hosts on ipa-client-install registration. All my servers are using a 99% alike kickstart profile.
8 hosts did their registration almost immediately (after submit of admin)
But on 2 servers I am stuck with: stderr= trying to retrieve CA cert via LDAP from ....
Any idea what the reason could be? I checked: DNS, firewall But all verifications and discovery before this step are successful.
It's only possible I did a ipa-client-uninstall on those hosts before. (not 100% sure)
Shouldn't matter unless you are running an ancient version of RHEL 6.x.
I'd start with the 389-ds access log and the KDC log on the IPA master and see if connections are being made at all, and with what results.
rob
No, only "fresh" and updated RHEL 7.3 hosts.
Connections are being made, but still ipa-client install. Can't wait forever on a solution of RH Support, they have/had no clue at all, so I'll reinstall - yet the issue intrigues me a bit.
On Mon, Jul 3, 2017 at 4:53 PM Rob Crittenden rcritten@redhat.com wrote:
Pieter Baele via FreeIPA-users wrote:
Hi,
I've a weird problem with 2 hosts on ipa-client-install registration. All my servers are using a 99% alike kickstart profile.
8 hosts did their registration almost immediately (after submit of admin)
But on 2 servers I am stuck with: stderr= trying to retrieve CA cert via LDAP from ....
Any idea what the reason could be? I checked: DNS, firewall But all verifications and discovery before this step are successful.
It's only possible I did a ipa-client-uninstall on those hosts before. (not 100% sure)
Shouldn't matter unless you are running an ancient version of RHEL 6.x.
I'd start with the 389-ds access log and the KDC log on the IPA master and see if connections are being made at all, and with what results.
rob
Pieter Baele via FreeIPA-users wrote:
No, only "fresh" and updated RHEL 7.3 hosts.
Ok, you were the one that brought up re-installing...
Connections are being made, but still ipa-client install. Can't wait forever on a solution of RH Support, they have/had no clue at all, so I'll reinstall - yet the issue intrigues me a bit.
Y You haven't provided any information here that would allow us to help.
rob
On Mon, Jul 3, 2017 at 4:53 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Pieter Baele via FreeIPA-users wrote: > Hi, > > I've a weird problem with 2 hosts on ipa-client-install registration. > All my servers are using a 99% alike kickstart profile. > > 8 hosts did their registration almost immediately (after submit of admin) > > But on 2 servers I am stuck with: > stderr= > trying to retrieve CA cert via LDAP from .... > > Any idea what the reason could be? I checked: DNS, firewall > But all verifications and discovery before this step are successful. > > It's only possible I did a ipa-client-uninstall on those hosts before. > (not 100% sure) > Shouldn't matter unless you are running an ancient version of RHEL 6.x. I'd start with the 389-ds access log and the KDC log on the IPA master and see if connections are being made at all, and with what results. rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Wed, Jul 5, 2017 at 7:28 PM Rob Crittenden rcritten@redhat.com wrote:
Pieter Baele via FreeIPA-users wrote:
No, only "fresh" and updated RHEL 7.3 hosts.
Ok, you were the one that brought up re-installing...
Connections are being made, but still ipa-client install. Can't wait forever on a solution of RH Support, they have/had no clue at all, so I'll reinstall - yet the issue intrigues me a bit.
Y You haven't provided any information here that would allow us to help.
rob
Yes indeed, I was the one that brought up reinstalling 2 of our hosts.
I have a deadline, so there is no choice. Those are 2 management hosts we need. Also I never got a request, "please, this looks intriguing for us at well" .... I could have reinstalled right away instead of trying to debug the ipa registration process. But all my other 99% similar hosts registered without a problem..... We lost precious time also because I had to explain that the engineer was looking in the wrong direction. Not something a customer should do (!).
But I am still interested in what happened and in IPA in general, hope there is nothing wrong with that?
Thats why I also submitted some limited information to the mailinglist. It is not the first time a mailinglist or IRC is more direct.... instead of going to several support people first.
As demanded I provided an strace as well, and it was clear that the freeipa-client-install was hanging at the point as explained before.
No explanations from logs and traces IMO. The only thing that was changed on those 2 hosts was the hostname - but BEFORE the install of the client. Which was also misunderstood by the way....
-- Pieter
On Mon, Jul 3, 2017 at 4:53 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Pieter Baele via FreeIPA-users wrote: > Hi, > > I've a weird problem with 2 hosts on ipa-client-install
registration.
> All my servers are using a 99% alike kickstart profile. > > 8 hosts did their registration almost immediately (after submit of admin) > > But on 2 servers I am stuck with: > stderr= > trying to retrieve CA cert via LDAP from .... > > Any idea what the reason could be? I checked: DNS, firewall > But all verifications and discovery before this step are
successful.
> > It's only possible I did a ipa-client-uninstall on those hosts
before.
> (not 100% sure) > Shouldn't matter unless you are running an ancient version of RHEL
6.x.
I'd start with the 389-ds access log and the KDC log on the IPA
master
and see if connections are being made at all, and with what results. rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org