[Freeipa-users] version mismatch while joining a client ?
Rob Crittenden
rcritten at redhat.com
Thu Jul 28 22:12:54 UTC 2011
Steven Jones wrote:
> I just downgraded libcurl and curl on rhel6.1 client....still broken.
Broken how? We need logs, command output, etc. to diagnose the problem.
rob
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Thursday, 28 July 2011 9:13 a.m.
> To: Steven Jones
> Cc: Robert M. Albrecht; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] version mismatch while joining a client ?
>
> Steven Jones wrote:
>> Hi,
>>
>> It appears this change also effects RHEL6.1 as well....I have the same message when I try and join new machines.
>
> Yes, updates were done for at least Fedora 14, 15, rawhide, EL5 and EL6.
> This was considered a security issue so updates were pushed everywhere.
>
> rob
>
>>
>> regards
>>
>> Steven
>> Technical Specialist - Linux RHCE
>> Victoria University, Wellington, NZ
>>
>> 8><-----
>>
>>> Joining realm failed because of failing XML-RPC request.
>>> This error may be caused by incompatible server/client major versions.
>>
>> 8><-----
>>
>> I think this is the problem caused by a recent libcurl change. libcurl
>> recently dropped support for GSSAPI ticket delegation which is needed
>> for the enrollment. If you look in the Apache error log on the IPA
>> server I'll bet there is an error about principal.
>>
>> We're waiting on upstream to add support for forwarding back in. Until
>> then your options are limited. The change was made because it was
>> considered a security issue: whenever forwarding was allow the ticket
>> was sent whether it was requested or not.
>>
>> Downgrading libcurl will fix the problem for enrollment. You should
>> evaluate the CVE to decide the course of action:
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2192
>>
>> rob
>>
>> 8><----
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list