[Freeipa-users] ipa-client install error

Steven Jones Steven.Jones at vuw.ac.nz
Wed May 2 21:54:13 UTC 2012 

Hi,

BTW, is this advice in the admin guide?  I would suggest its worth stating.....

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Thursday, 3 May 2012 9:45 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] ipa-client install error

On 05/02/2012 05:29 PM, Steven Jones wrote:
> What is the impact of IPA not working properly?

You need to differentiate client system that uses IPA for identity
lookups and authentication and administrative station where you have
ipa-admintools package installed. It is not recommended to have this
package on the client side to be higher version than on the server. We
are currently fixing the issue for the client enrollment to work even if
you try to enroll later version of the ipa client with the earlier
version of the server but for ipa-admintools the general rule: upgrade
server first and then the client ipa-admintools package should continue
to apply.


>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: Martin Kosek [mkosek at redhat.com]
> Sent: Thursday, 3 May 2012 1:52 a.m.
> To: Rob Crittenden
> Cc: Steven Jones; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] ipa-client install error
>
> On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote:
>> Steven Jones wrote:
>>> So this opens a chicken and egg?
>>>
>>> ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break?  but I cant upgrade the clients until after the servers are done....if so that is a huge and ugly looking task that is one way....
>> No, that's not the problem at all. Enrolled clients will work as
>> expected. New 6.3 clients can enroll with a 6.3 server. Based on the log
>> it looks like a 6.3 client can't enroll with a 6.2 server but I'm still
>> investigating. We'll fix it if needed.
>>
>> rob
> I just sent a patch for this issue to freeipa-devel list. The problem
> was in the TGT forwarding as mentioned earlier in this thread. The
> patched client can now join an older IPA server. But ipa command still
> won't work properly as its API is higher that the server's.
>
> Martin
>
>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Wednesday, 2 May 2012 1:19 a.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] ipa-client install error
>>>
>>> Steven Jones wrote:
>>>> I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error.
>>>>
>>>> ==============
>>>> [root at rhel664ws01 ~]# ipa-client-install --mkhomedir
>>>> Discovery was successful!
>>>> Hostname: rhel664ws01.ods.vuw.ac.nz
>>>> Realm: ODS.VUW.AC.NZ
>>>> DNS Domain: ods.vuw.ac.nz
>>>> IPA Server: vuwunicoipam002.ods.vuw.ac.nz
>>>> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz
>>>>
>>>>
>>>> Continue to configure the system with these values? [no]: yes
>>>> User authorized to enroll computers: admjonesst1
>>>> Synchronizing time with KDC...
>>>> Unable to sync time with IPA NTP server, assuming the time is in sync.
>>>> Password for admjonesst1 at ODS.VUW.AC.NZ:
>>>>
>>>> Enrolled in IPA realm ODS.VUW.AC.NZ
>>>> Created /etc/ipa/default.conf
>>>> Unable to activate the SSH service in SSSD config.
>>>> Please make sure you have SSSD built with SSH support installed.
>>>> Configure SSH support manually in /etc/sssd/sssd.conf.
>>>> Configured /etc/sssd/sssd.conf
>>>> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
>>>> Traceback (most recent call last):
>>>>     File "/usr/sbin/ipa-client-install", line 1534, in<module>
>>>>       sys.exit(main())
>>>>     File "/usr/sbin/ipa-client-install", line 1521, in main
>>>>       rval = install(options, env, fstore, statestore)
>>>>     File "/usr/sbin/ipa-client-install", line 1358, in install
>>>>       api.Backend.xmlclient.connect()
>>>>     File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect
>>>>       conn = self.create_connection(*args, **kw)
>>>>     File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection
>>>>       raise errors.KerberosError(major=str(krberr), minor='')
>>>> ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/
>>>> [root at rhel664ws01 ~]#
>>>> ===========
>>>>
>>>> Is this expected when trying to connect 6.3beta? ie its simply not compatible?
>>>>
>>> The newer 2.2 client cannot connect to an older 2.1 server because it
>>> isn't going to send the TGT that the 2.1 server requires. We should
>>> handle this better, I've opened a ticket to track this:
>>> https://fedorahosted.org/freeipa/ticket/2697
>>>
>>> rob
>>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list