From a8e30e96716992e4160abdb7ac5995bb75e54eae Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 16 Mar 2015 16:30:55 +0100 Subject: ipa-client-install: try to get host TGT several times before giving up New option '--kinit-attempts' enables the host to make multiple attempts to obtain host TGT from master before giving up and aborting client installation. In addition, all kinit attempts were replaced by calls to 'ipautil.kinit_keytab' and 'ipautil.kinit_password'. https://fedorahosted.org/freeipa/ticket/4808 Reviewed-By: Jan Cholasta Reviewed-By: Simo Sorce Reviewed-By: Petr Spacek --- ipa-client/man/ipa-client-install.1 | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'ipa-client/man') diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 726a6c133..985cfb064 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -152,6 +152,14 @@ Do not use Authconfig to modify the nsswitch.conf and PAM configuration. \fB\-f\fR, \fB\-\-force\fR Force the settings even if errors occur .TP +\fB\-\-kinit\-attempts\fR=\fIKINIT_ATTEMPTS\fR +In case of unresponsive KDC (e.g. when enrolling multiple hosts at once in a +heavy load environment) repeat the request for host Kerberos ticket up to a +total number of \fIKINIT_ATTEMPTS\fR times before giving up and aborting client +installation. Default number of attempts is 5. The request is not repeated when +there is a problem with host credentials themselves (e.g. wrong keytab format +or invalid principal) so using this option will not lead to account lockouts. +.TP \fB\-d\fR, \fB\-\-debug\fR Print debugging information to stdout .TP -- cgit