#5842 Replica installation fails with ipa-getkeytab timeouts
Closed: Fixed None Opened 6 years ago by ofayans.

A lot of replica installations in upstream CI fail with ipa-getkeytab timeouts.
Error message normally looks like this:

  [38/43]: adding replication acis
  [39/43]: enabling compatibility plugin
  [40/43]: activating sidgen plugin
  [41/43]: activating extdom plugin
  [42/43]: tuning directory server
  [43/43]: configuring directory to start on boot
Done configuring directory server (dirsrv).
ipa.ipapython.install.cli.install_tool(Replica): ERROR    Command '/usr/sbin/ipa-getkeytab -k /etc/httpd/conf/ipa.keytab -p HTTP/vm-177.example.com@DOM-102.EXAMPLE.COM -s vm-102.example.com' returned non-zero exit status 9
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

2500    2016-04-22T14:08:15Z DEBUG Starting external process
2501    2016-04-22T14:08:15Z DEBUG args=/usr/sbin/ipa-getkeytab -k /etc/httpd/conf/ipa.keytab -p HTTP/vm-177.example.com@DOM-102.example.COM -s vm-102.example.com
2502    2016-04-22T14:08:36Z DEBUG Process finished, return code=9
2503    2016-04-22T14:08:36Z DEBUG stdout=
2504    2016-04-22T14:08:36Z DEBUG stderr=Timeout exceeded.Missing reply control list!
2505    Retrying with pre-4.0 keytab retrieval method...
2506    Timeout exceeded.Missing reply control list!
2507    ber_init() failed, Invalid control ?!
2508    Failed to get keytab

I was investigating this with Milan and raising timeout helped him.

Default timeout 10 seconds was not enough for him, 100 seconds worked.

I see a patch on the list.

master:

  • deb99c1 Increase ipa-getkeytab LDAP timeout to 100sec

Metadata Update from @ofayans:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.4

5 years ago

Login to comment on this ticket.

Metadata