freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#4808 ipa-client-install should retry if TGT kinit fails

Created 3 years ago by mkosek
Modified 2 years ago

ipa-client-install is prone for installation failures in high-load environments with unstable network or network that has some packet loss. The installation most often fails on kinit when trying to get TGT ticket for the host.

Moving to TCP (ticket #4725, downstream Bugzilla) partially helped, however there were still failures that could be only solved by retrying the TGT kinit step. Given that this step is critical for the client installation and prone to failures, ipa-client-install should be able to retry. There can be new option --no-retry or similar to achieve faster failures.

Note that in the respective user environment, only the host TGT kinit failed. The preceding admin kinit worked.

This should be a good starting ticket for mbabinsk.

Should we also add some option to let the user specify the number of attempts before the script gives up (something like '--tgt-kinit-attempts' with some default numerical value)? Or is it enough to hardcode some reasonable number of attempts (3, 5, etc.) internally?

I would replace the --no-retry option from the original proposal with --tgt-kinit-attempts(or some different name) option. --tgt-kinit-attempts=0 would basically mean --no-retry. --tgt-kinit--attempts should have some reasonable default: 4?.

4.1.3 was released.

4.1.4 was released, moving to new milestone

master:

  • 415a5ff ipautil: new functions kinit_keytab and kinit_password
  • a8e30e9 ipa-client-install: try to get host TGT several times before giving up
  • 3d2feac Adopted kinit_keytab and kinit_password for kerberos auth

ipa-4-1:

  • 3749c8d ipautil: new functions kinit_keytab and kinit_password
  • 48095ca ipa-client-install: try to get host TGT several times before giving up
  • 0ca8254 Adopted kinit_keytab and kinit_password for kerberos auth

ipa-client-install fails to kinit when non-default config is used. Reopening.

master:

  • 454e869 client-install: Fix kinits with non-default Kerberos config file

ipa-4-1:

  • f6f94ae client-install: Fix kinits with non-default Kerberos config file
2 years ago

Metadata Update from @mkosek:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.1.5

Login to comment on this ticket.

defect

Client

1

pvoborni

https://bugzilla.redhat.com/show_bug.cgi?id=1161722, https://bugzilla.redhat.com/show_bug.cgi?id=1176036

cancel