In what phase do you run the script? It should be one of the last scripts in the final phase for the install to work reliably. If it’s in preconfig or config phase it breaks 9 out of 10 times.


On 29 May 2019, at 22:53, Boudjoudad Abdelkader <> wrote:

I'm using cloud-init with this script:
locale-gen en_CA.utf8
locale-gen en_US.utf8

IP=$(hostname -i | awk '{print $1}')
echo "$" > /etc/hostname
echo "FQDN is: $FQDN"
sed -i  "1 i\
$IP $FQDN $HOSTNAME" /etc/hosts
apt-get -y update
apt-get install -y nfs-kernel-server nfs-common
DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client
ipa-client-install  --hostname=$(hostname -f) --domain --no-ntp --unattended --principal admin --password 'Deep201' --realm EXAMPLE.COM --enable-dns-updates --force --force-join
sed -i '/ticket_lifetime/a renew_lifetime = 28d' /etc/krb5.conf

I will test with only --enable-dns-updates, principal and password
The network is configured well because i can reach the nfs server.

On Wed, May 29, 2019 at 4:44 PM John Keates <> wrote:
What I meant was that you are already practically disabling it; you specify the hostname, domain, server, realm on your command line but those should be discoverable.
Here is an enrollment jinja2 template I use:

ipa-client-install -U --enable-dns-updates --principal={{freeipa.client.enroll.username}} --password={{freeipa.client.enroll.password}}

It’s all that’s needed as long as your network has the correct setup. You’d replace the principal and password with your own of course.
It would probably look like:

ipa-client-install -U --enable-dns-updates —principal=admin --password=Deep201qa


On 29 May 2019, at 22:39, Boudjoudad Abdelkader <> wrote:

Hi John,
Thank you for the quick reply,

To disable autodiscrovery the option is ?

On Wed, May 29, 2019 at 4:18 PM John Keates <> wrote:
I don’t know what you are missing, but I do know that in theory your enrolment should work with just -U for unattended and the principal and password.
Unless you have a special environment that requires auto discovery to be disabled, I’d recommend using it.

I’m enrolling clients in three ways that all work this way, one using a Cloud-Init module, one using a SaltStack formula and one using a Lambda function that uses SSH to connect to a machine and run the enrolment remotely.

The text from your mount command seems to suggest a timeout issue, perhaps the network isn’t up or DNS is broken? I’m also seeing you using an IP, it’s usually a sign of an incomplete or improper network setup (but technically it should be fine)


On 29 May 2019, at 22:10, Boudjoudad Abdelkader via FreeIPA-users <> wrote:

I'm trying to automate freeipa-client installation on Ubuntu with custom script using MAAS as follow :
IP=$(hostname -i | awk '{print $1}')
echo "$" > /etc/hostname
echo "FQDN is: $FQDN"
sed -i  "1 i\
$IP $FQDN $HOSTNAME" /etc/hosts
apt-get -y update
apt-get install -y nfs-kernel-server nfs-common
DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client
ipa-client-install  --hostname=$(hostname -f) --domain --no-ntp --unattended --principal admin --password 'Deep201qa' --realm EXAMPLE.COM --enable-dns-updates
sed -i '/ticket_lifetime/a renew_lifetime = 28d' /etc/krb5.conf
service sssd restart

After the deployment i can do  kinit domain_user and ipa user-show without any problem, but when i tried to mount an nfs in /ec/fstab with the following options i get an error:
The  mount in /etc/fstab:  nfs4 rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none 0 0
The error:
mount -av
/                        : ignored
none                     : ignored
mount.nfs4: timeout set for Wed May 29 20:04:29 2019
mount.nfs4: trying text-based options 'vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none,addr=,clientaddr=IP_ADDR0ESS

I tried to install  freeipa-client manually and the nfs mount works:

What i'm missing?

FreeIPA-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives: