Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1812871
Description of problem: While performing daily CI runs, we observe IdM client registration problems. Approximately once every 4/5 CI runs. The environment consists of 2 IdM servers (master and replica) and ~ 30 Idm clients. All RHEL 7.7 systems. Version-Release number of selected component (if applicable): IdM server: RHEL 7.7, rhel7/ipa-server:4.6.5-40 IdM clients: ipa-client-4.6.5-11.el7_7.3.x86_64 How reproducible: The ansible based workflow configured IdM master, then IdM replica, and then 30 clients are being joined via Ansible task Steps to Reproduce: 1. Complete IdM master and replica setup 2. Run ipa-client-install via ansible playbook targeting about 30 IdM RHEL 7.7 clients 3. Actual results: Observe some clients failing the ipa-join step due to authentication issue (ACIError in HTTPD error_log, and code=17 error in client's ipaclient-install.log) Expected results: All clients join IdM master or replica successfully Additional info:
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1812871
Metadata Update from @rcritten: - Issue assigned to rcritten
From Simo:
mod_auth_gssapi supports an additional option: GssapiDelegCcacheUnique which set to On would cause mod_auth_gssapi to generate unique ccache names for every new authentication.
This will collect ccaches that will need to be cleaned up. mod_auth_gssapi provides a script to clean up expired ccaches upstream in its contrib directory.
master:
ipa-4-9:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.