<div dir="ltr"><div>Thanks guys. </div>For now I've just reverted the reported version while the install script runs. It seems to work OK. </div><div class="gmail_extra"> <div class="gmail_quote">On Thu, Jan 2, 2014 at 9:06 AM, Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 12/28/2013 06:50 PM, Rob Crittenden wrote: > Will Sheldon wrote: >> >> Hello :) >> >> I'm trying to setup a ubuntu 12.04.3 client running freeipa-client >> 3.2.0-0ubuntu1~precise1 form the apt repo at >> <a href="http://ppa.launchpad.net/freeipa/ppa/ubuntu" target="_blank">http://ppa.launchpad.net/freeipa/ppa/ubuntu</a> >> The server is a (fully updated) centos 6.5 box running ipa-server.x86_64 >> 3.0.0-37.el6 >> >> The script mostly works on a stock install, but there is an error >> uploading SSH keys, This appears to be called from the >> ipa-client-install script line 1436: >> >> result = api.Command['host_mod'](unicode(hostname), >> >> Which generates the following output when run: >> >> stderr= >> Caught fault 901 from server <a href="https://ipa." target="_blank">https://ipa.</a>[domain].com/ipa/xml: 2.58 >> client incompatible with 2.49 server at u'<a href="https://ipa." target="_blank">https://ipa.</a>[domain].com/ipa/xml' >> host_mod: 2.58 client incompatible with 2.49 server at >> u'<a href="https://ipa." target="_blank">https://ipa.</a>[domain].com/ipa/xml' >> Failed to upload host SSH public keys. >> >> I understand that this is not a critical failure and that I can manually >> upload the host keys if needed but the bit I don't understand is where >> the version numbers come from. > > The API version is baked into the client and server. We generally provide a > backwards compatible server, but right now not the client (so a new client > can't always have 100% success talking to an old server). We are actually > working on this, especially for client enrollment, to make things work more > smoothly. > >> How do I revert the api to version 2.49 to match the server? > > You'd have to modify ipapython/version.py on each client before enrollment. For > enrollment I can't think of any side-effects, but if you ever tried the IPA > admin tool on such a client then some odd things could happen. > >> What is best practice here, should I be using a different source for the >> client install script? > > I don't know what is available for Debian/Ubuntu clients these days. It is > being worked on very hard though I think the focus is on the latest source > which explains the mismatch. > >> Is there a copy of the correct client files stashed on the server somewhere? >> Would anyone be interested in helping with development of a yum and apt >> repo on the server to make all this easier? > > The server being the IPA server, so it can distribute the client bits? An > interesting idea. > > rob > </div></div>Note that this issue was fixed in FreeIPA version 3.3.2 (upstream ticket <a href="https://fedorahosted.org/freeipa/ticket/3931" target="_blank">https://fedorahosted.org/freeipa/ticket/3931</a>). Thus, when using FreeIPA client 3.3.2 and later, ipa-client-install will upload the SSH keys even to the older SSH server. No other changes required. HTH, Martin </blockquote></div> -- <div dir="ltr"> Kind regards, Will Sheldon +1.(778)-689-4144 </div> </div>