Bug 2148259

Summary: ipa-client-install does not maintain server affinity during installation
Product: Red Hat Enterprise Linux 8 Reporter: Trivino <ftrivino>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.8CC: frenaud, ipa-qe, mjurasek, rcritten, rjeffman, sumenon, tscherf
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: mjurasek: needinfo+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.9.11-3.module+el8.8.0+17609+6cfecbae Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2148258
: 2150246 2150247 2150248 (view as bug list) Environment:
Last Closed: 2023-05-16 08:29:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2148258    
Bug Blocks: 2150246, 2150247, 2150248    

Description Trivino 2022-11-24 18:07:29 UTC 
+++ This bug was initially created as a clone of Bug #2148258 +++

Cloned from upstream: https://pagure.io/freeipa/issue/9228

### Issue

ipa-client-install generates a temporary krb5.conf with a single KDC configured for ipa-join call. Once that is completed the temporary configuration is dropped and a full one is created, enabling DNS discovery by default.

A number of Kerberos operations occur after that, including connecting to the IPA API.

This can fail if a different server is picked via DNS and the ipa-client-install operations are faster than replication. This can lead to failures due to unknown hosts.

This was discovered by performance testing to determine how many simultaneous client installations can be performed. It was found that when additional IPA servers were added the capacity unexpectedly went down. It is this replication race that is the underlying problem.

The proposal is to retain the temporary configuration until nearer the end of installation and then write the final one.

###Steps to Reproduce

    Install IPA + 1 or more replicas
    Run simultaneous client installations. It sometimes doesn't require many. It's race so unpredictable

### Actual behavior

On the client side it will fail with a message that the TGT has been revoked.

gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failre. Minor code may provide more informatino, Minor (2529638932): TGT has been revoked

The server side logs "PAC issue: ipadb_get_principal_failed "
(what do you expect to happen)

### Expected behavior

Scale enrollments with additional servers.

--- Additional comment from Trivino on 2022-11-24 18:06:21 UTC ---

Upstream ticket:

https://pagure.io/freeipa/issue/9228


Fixed upstream:
master:
    https://pagure.io/freeipa/c/9d9d925b14dbf627546c51c47f6d4e7827645610 Defer creating the final krb5.conf on clients

ipa-4-10:
    https://pagure.io/freeipa/c/3cbf2b25422100cc4105dfb09ee8c7bf87232198 Defer creating the final krb5.conf on clients

ipa-4-9:
    https://pagure.io/freeipa/c/69413325158a3ea06d1491acd77ee6e0955ee89a Defer creating the final krb5.conf on clients
Comment 1 Trivino 2022-11-24 18:08:39 UTC 
Upstream ticket:

https://pagure.io/freeipa/issue/9228


Fixed upstream:
master:
    https://pagure.io/freeipa/c/9d9d925b14dbf627546c51c47f6d4e7827645610 Defer creating the final krb5.conf on clients

ipa-4-10:
    https://pagure.io/freeipa/c/3cbf2b25422100cc4105dfb09ee8c7bf87232198 Defer creating the final krb5.conf on clients

ipa-4-9:
    https://pagure.io/freeipa/c/69413325158a3ea06d1491acd77ee6e0955ee89a Defer creating the final krb5.conf on clients
Comment 2 Florence Blanc-Renaud 2022-11-25 09:05:16 UTC 
Upstream ticket https://pagure.io/freeipa/issue/9228
Comment 13 errata-xmlrpc 2023-05-16 08:29:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2794