[Freeipa-devel] [PATCH] 256 Make ipa 2.2 client capable of joining an older server
Martin Kosek
mkosek at redhat.com
Wed May 2 16:14:14 UTC 2012
On Wed, 2012-05-02 at 10:32 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > Testing instructions included in the ticket.
> > ---
> > IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
> > delegation, i.e. ipa command no longer forwards Kerberos TGT to the
> > server during authentication. However, when IPA client of version
> > 2.2 and higher tries to join an older IPA server, the installer
> > crashes because the pre-2.2 server expects the TGT to be forwarded.
> >
> > This patch adds a fallback to ipa-client-install which would detect
> > this situation and tries connecting with TGT forwarding enabled
> > again.
> >
> > https://fedorahosted.org/freeipa/ticket/2697
>
> Still working on testing this, just a couple of initial comments.
>
> I'd like to see the second and 3rd exceptions be logged as well as
> printed to stderr (this is a common problem in ipa-client-install, we
> don't log as much as we should).
>
> Will it be confusing to print the bit about S4U2Proxy? I think
> simplyfing as "you are running a new client than the IPA server so some
> capabilities may not be available" or something like that.
>
> rob
The attached patch has a better error reporting and logging. I also
added user realm to keytab kinit as you suggested on IRC, it should make
the kinit more bullet-proof.
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-256-2-ipa-client-install-delegate.patch
Type: text/x-patch
Size: 3518 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120502/42a24882/attachment.bin>
More information about the Freeipa-devel
mailing list