[Freeipa-devel] [PATCH] 256 Make ipa 2.2 client capable of joining an older server
Rob Crittenden
rcritten at redhat.com
Wed May 2 14:32:54 UTC 2012
Martin Kosek wrote:
> Testing instructions included in the ticket.
> ---
> IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
> delegation, i.e. ipa command no longer forwards Kerberos TGT to the
> server during authentication. However, when IPA client of version
> 2.2 and higher tries to join an older IPA server, the installer
> crashes because the pre-2.2 server expects the TGT to be forwarded.
>
> This patch adds a fallback to ipa-client-install which would detect
> this situation and tries connecting with TGT forwarding enabled
> again.
>
> https://fedorahosted.org/freeipa/ticket/2697
Still working on testing this, just a couple of initial comments.
I'd like to see the second and 3rd exceptions be logged as well as
printed to stderr (this is a common problem in ipa-client-install, we
don't log as much as we should).
Will it be confusing to print the bit about S4U2Proxy? I think
simplyfing as "you are running a new client than the IPA server so some
capabilities may not be available" or something like that.
rob
More information about the Freeipa-devel
mailing list