[Freeipa-devel] [PATCH] 256 Make ipa 2.2 client capable of joining an older server
Rob Crittenden
rcritten at redhat.com
Wed May 2 17:47:19 UTC 2012
Martin Kosek wrote:
> On Wed, 2012-05-02 at 10:32 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> Testing instructions included in the ticket.
>>> ---
>>> IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
>>> delegation, i.e. ipa command no longer forwards Kerberos TGT to the
>>> server during authentication. However, when IPA client of version
>>> 2.2 and higher tries to join an older IPA server, the installer
>>> crashes because the pre-2.2 server expects the TGT to be forwarded.
>>>
>>> This patch adds a fallback to ipa-client-install which would detect
>>> this situation and tries connecting with TGT forwarding enabled
>>> again.
>>>
>>> https://fedorahosted.org/freeipa/ticket/2697
>>
>> Still working on testing this, just a couple of initial comments.
>>
>> I'd like to see the second and 3rd exceptions be logged as well as
>> printed to stderr (this is a common problem in ipa-client-install, we
>> don't log as much as we should).
>>
>> Will it be confusing to print the bit about S4U2Proxy? I think
>> simplyfing as "you are running a new client than the IPA server so some
>> capabilities may not be available" or something like that.
>>
>> rob
>
> The attached patch has a better error reporting and logging. I also
> added user realm to keytab kinit as you suggested on IRC, it should make
> the kinit more bullet-proof.
>
> Martin
ACK, pushed to master and ipa-2-2
rob
More information about the Freeipa-devel
mailing list