[Freeipa-users] ipa-client install error

Dmitri Pal dpal at redhat.com
Tue May 1 22:31:52 UTC 2012 

On 05/01/2012 06:15 PM, Steven Jones wrote:
> So this opens a chicken and egg?
>
> ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break?  but I cant upgrade the clients until after the servers are done....if so that is a huge and ugly looking task that is one way.....
>

Yes this is a serious problem. Thank you for uncovering it.
Current plan is to: provide a fix for the older clients to be able to
connect to 2.2 via errata.
Make sure that the 2.2 client can connect to the 2.1 server.

Thanks
Dmitri

> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, 2 May 2012 1:19 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] ipa-client install error
>
> Steven Jones wrote:
>> I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error.
>>
>> ==============
>> [root at rhel664ws01 ~]# ipa-client-install --mkhomedir
>> Discovery was successful!
>> Hostname: rhel664ws01.ods.vuw.ac.nz
>> Realm: ODS.VUW.AC.NZ
>> DNS Domain: ods.vuw.ac.nz
>> IPA Server: vuwunicoipam002.ods.vuw.ac.nz
>> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz
>>
>>
>> Continue to configure the system with these values? [no]: yes
>> User authorized to enroll computers: admjonesst1
>> Synchronizing time with KDC...
>> Unable to sync time with IPA NTP server, assuming the time is in sync.
>> Password for admjonesst1 at ODS.VUW.AC.NZ:
>>
>> Enrolled in IPA realm ODS.VUW.AC.NZ
>> Created /etc/ipa/default.conf
>> Unable to activate the SSH service in SSSD config.
>> Please make sure you have SSSD built with SSH support installed.
>> Configure SSH support manually in /etc/sssd/sssd.conf.
>> Configured /etc/sssd/sssd.conf
>> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
>> Traceback (most recent call last):
>>    File "/usr/sbin/ipa-client-install", line 1534, in<module>
>>      sys.exit(main())
>>    File "/usr/sbin/ipa-client-install", line 1521, in main
>>      rval = install(options, env, fstore, statestore)
>>    File "/usr/sbin/ipa-client-install", line 1358, in install
>>      api.Backend.xmlclient.connect()
>>    File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect
>>      conn = self.create_connection(*args, **kw)
>>    File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection
>>      raise errors.KerberosError(major=str(krberr), minor='')
>> ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/
>> [root at rhel664ws01 ~]#
>> ===========
>>
>> Is this expected when trying to connect 6.3beta? ie its simply not compatible?
>>
> The newer 2.2 client cannot connect to an older 2.1 server because it
> isn't going to send the TGT that the 2.1 server requires. We should
> handle this better, I've opened a ticket to track this:
> https://fedorahosted.org/freeipa/ticket/2697
>
> rob
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list