ipa-client-install generates a temporary krb5.conf with a single KDC configured for ipa-join call. Once that is completed the temporary configuration is dropped and a full one is created, enabling DNS discovery by default.
A number of Kerberos operations occur after that, including connecting to the IPA API.
This can fail if a different server is picked via DNS and the ipa-client-install operations are faster than replication. This can lead to failures due to unknown hosts.
This was discovered by performance testing to determine how many simultaneous client installations can be performed. It was found that when additional IPA servers were added the capacity unexpectedly went down. It is this replication race that is the underlying problem.
The proposal is to retain the temporary configuration until nearer the end of installation and then write the final one.
On the client side it will fail with a message that the TGT has been revoked.
gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failre. Minor code may provide more informatino, Minor (2529638932): TGT has been revoked
The server side logs "PAC issue: ipadb_get_principal_failed " (what do you expect to happen)
Scale enrollments with additional servers.
Tested on Fedora 36 with 4.9.10-3.fc36
master:
ipa-4-10:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
@rcritten IMO this enhancement is worth mentioning in the release notes. Could you add a small description in this ticket's changelog so that the RNs for the next release will automatically pick the text? Thanks
Metadata Update from @rcritten: - Custom field changelog adjusted to ipa-client-install will use a single server for the duration of the installation process, either one discovered or provided on the command-line. Previously it would use a temporary configuration to do enrollment, then switch to a final one for the remaining operations. This could lead to the installer talking with multiple servers. If the client installer is faster than replication this could lead to errors.
Metadata Update from @ftrivino: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2148258 https://bugzilla.redhat.com/show_bug.cgi?id=2148259
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2148258, https://bugzilla.redhat.com/show_bug.cgi?id=2148259, https://bugzilla.redhat.com/show_bug.cgi?id=2148249 (was: https://bugzilla.redhat.com/show_bug.cgi?id=2148258 https://bugzilla.redhat.com/show_bug.cgi?id=2148259)
Issue linked to bugs - https://bugzilla.redhat.com/show_bug.cgi?id=2148249 RHEL 7 - https://bugzilla.redhat.com/show_bug.cgi?id=2148258 RHEL 9 - https://bugzilla.redhat.com/show_bug.cgi?id=2148259 RHEL8
ipa-4-6:
Login to comment on this ticket.