#8589 Intermittent IdM Client Registration Failures
Closed: fixed 4 months ago by rcritten. Opened 5 months ago by rcritten.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1812871

Description of problem:
While performing daily CI runs, we observe IdM client registration problems.
Approximately once every 4/5 CI runs. The environment consists of 2 IdM servers
(master and replica) and ~ 30 Idm clients.  All RHEL 7.7 systems.

Version-Release number of selected component (if applicable):
IdM server:  RHEL 7.7, rhel7/ipa-server:4.6.5-40
IdM clients: ipa-client-4.6.5-11.el7_7.3.x86_64

How reproducible:
The ansible based workflow configured IdM master, then IdM replica, and then 30
clients are being joined via Ansible task


Steps to Reproduce:
1. Complete IdM master and replica setup
2. Run ipa-client-install via ansible playbook targeting about 30 IdM RHEL 7.7
clients
3.

Actual results:
Observe some clients failing the ipa-join step due to authentication issue
(ACIError in HTTPD error_log, and code=17 error in client's
ipaclient-install.log)

Expected results:
All clients join IdM master or replica successfully

Additional info:

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1812871

5 months ago

Metadata Update from @rcritten:
- Issue assigned to rcritten

5 months ago

From Simo:

mod_auth_gssapi supports an additional option:
GssapiDelegCcacheUnique which set to On would cause mod_auth_gssapi to
generate unique ccache names for every new authentication.

This will collect ccaches that will need to be cleaned up. mod_auth_gssapi provides a script to clean up expired ccaches upstream in its contrib directory.

master:

  • 83813cf Convert reset_to_default_policy into a pytest fixture
  • c6644b8 Generate a unique cache for each connection
  • 865c076 ipatests: test that stale caches are removed using the sweeper
  • 469274f Enable the ccache sweep systemd timer
  • d460f02 Increase timeout for krbtpolicy to 4800

ipa-4-9:

  • 848dffb Convert reset_to_default_policy into a pytest fixture
  • 51b186b Generate a unique cache for each connection
  • 22fa1a7 ipatests: test that stale caches are removed using the sweeper
  • 068d085 Enable the ccache sweep systemd timer
  • 28ed75c Increase timeout for krbtpolicy to 4800

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 months ago

master:

  • 6b93636 Add ccache sweeper files to gitignore

ipa-4-9:

  • 56b8497 Add ccache sweeper files to gitignore

Login to comment on this ticket.

Metadata