[Freeipa-users] version mismatch while joining a client ?

[Steven Jones]

Hi,

It appears this change also effects RHEL6.1 as well....I have the same message when I try and join new machines.

regards

Steven
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ

8><-----

> Joining realm failed because of failing XML-RPC request.
> This error may be caused by incompatible server/client major versions.

8><-----

I think this is the problem caused by a recent libcurl change. libcurl
recently dropped support for GSSAPI ticket delegation which is needed
for the enrollment. If you look in the Apache error log on the IPA
server I'll bet there is an error about principal.

We're waiting on upstream to add support for forwarding back in. Until
then your options are limited. The change was made because it was
considered a security issue: whenever forwarding was allow the ticket
was sent whether it was requested or not.

Downgrading libcurl will fix the problem for enrollment. You should
evaluate the CVE to decide the course of action:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2192

rob

8><----