On Wed, Jul 5, 2017 at 7:28 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Pieter Baele via FreeIPA-users wrote:
> No, only "fresh" and updated RHEL 7.3 hosts.
Ok, you were the one that brought up re-installing...
> Connections are being made, but still ipa-client install.
> Can't wait forever on a solution of RH Support, they have/had no clue at
> all, so I'll reinstall - yet the issue intrigues me a bit.
Y
You haven't provided any information here that would allow us to help.
rob
Yes indeed, I was the one that brought up reinstalling 2 of our hosts.
I have a deadline, so there is no choice. Those are 2 management hosts we
need.
Also I never got a request, "please, this looks intriguing for us at well"
....
I could have reinstalled right away instead of trying to debug the ipa
registration process. But all my other 99% similar hosts registered without
a problem.....
We lost precious time also because I had to explain that the engineer was
looking in the wrong direction. Not something a customer should do (!).
But I am still interested in what happened and in IPA in general, hope
there is nothing wrong with that?
Thats why I also submitted some limited information to the mailinglist. It
is not the first time a mailinglist or IRC is more direct.... instead of
going to several support people first.
As demanded I provided an strace as well, and it was clear that the
freeipa-client-install was hanging at the point as explained before.
No explanations from logs and traces IMO.
The only thing that was changed on those 2 hosts was the hostname - but
BEFORE the install of the client. Which was also misunderstood by the
way....
-- Pieter
>
> On Mon, Jul 3, 2017 at 4:53 PM Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Pieter Baele via FreeIPA-users wrote:
> > Hi,
> >
> > I've a weird problem with 2 hosts on ipa-client-install
registration.
> > All my servers are using a 99% alike kickstart profile.
> >
> > 8 hosts did their registration almost immediately (after submit of
> admin)
> >
> > But on 2 servers I am stuck with:
> > stderr=
> > trying to retrieve CA cert via LDAP from ....
> >
> > Any idea what the reason could be? I checked: DNS, firewall
> > But all verifications and discovery before this step are
successful.
> >
> > It's only possible I did a ipa-client-uninstall on those hosts
before.
> > (not 100% sure)
> >
>
> Shouldn't matter unless you are running an ancient version of RHEL
6.x.
>
> I'd start with the 389-ds access log and the KDC log on the IPA
master
> and see if connections are being made at all, and with what results.
>
> rob
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
>