[Freeipa-users] ipa-client install error

Dmitri Pal dpal at redhat.com
Wed May 2 21:58:04 UTC 2012 

On 05/02/2012 05:54 PM, Steven Jones wrote:
> Hi,
>
> BTW, is this advice in the admin guide?  I would suggest its worth stating.....
>

Noted.

> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
> Sent: Thursday, 3 May 2012 9:45 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] ipa-client install error
>
> On 05/02/2012 05:29 PM, Steven Jones wrote:
>> What is the impact of IPA not working properly?
> You need to differentiate client system that uses IPA for identity
> lookups and authentication and administrative station where you have
> ipa-admintools package installed. It is not recommended to have this
> package on the client side to be higher version than on the server. We
> are currently fixing the issue for the client enrollment to work even if
> you try to enroll later version of the ipa client with the earlier
> version of the server but for ipa-admintools the general rule: upgrade
> server first and then the client ipa-admintools package should continue
> to apply.
>
>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: Martin Kosek [mkosek at redhat.com]
>> Sent: Thursday, 3 May 2012 1:52 a.m.
>> To: Rob Crittenden
>> Cc: Steven Jones; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] ipa-client install error
>>
>> On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote:
>>> Steven Jones wrote:
>>>> So this opens a chicken and egg?
>>>>
>>>> ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break?  but I cant upgrade the clients until after the servers are done....if so that is a huge and ugly looking task that is one way....
>>> No, that's not the problem at all. Enrolled clients will work as
>>> expected. New 6.3 clients can enroll with a 6.3 server. Based on the log
>>> it looks like a 6.3 client can't enroll with a 6.2 server but I'm still
>>> investigating. We'll fix it if needed.
>>>
>>> rob
>> I just sent a patch for this issue to freeipa-devel list. The problem
>> was in the TGT forwarding as mentioned earlier in this thread. The
>> patched client can now join an older IPA server. But ipa command still
>> won't work properly as its API is higher that the server's.
>>
>> Martin
>>
>>
>>>> regards
>>>>
>>>> Steven Jones
>>>>
>>>> Technical Specialist - Linux RHCE
>>>>
>>>> Victoria University, Wellington, NZ
>>>>
>>>> 0064 4 463 6272
>>>>
>>>> ________________________________________
>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>> Sent: Wednesday, 2 May 2012 1:19 a.m.
>>>> To: Steven Jones
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] ipa-client install error
>>>>
>>>> Steven Jones wrote:
>>>>> I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error.
>>>>>
>>>>> ==============
>>>>> [root at rhel664ws01 ~]# ipa-client-install --mkhomedir
>>>>> Discovery was successful!
>>>>> Hostname: rhel664ws01.ods.vuw.ac.nz
>>>>> Realm: ODS.VUW.AC.NZ
>>>>> DNS Domain: ods.vuw.ac.nz
>>>>> IPA Server: vuwunicoipam002.ods.vuw.ac.nz
>>>>> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz
>>>>>
>>>>>
>>>>> Continue to configure the system with these values? [no]: yes
>>>>> User authorized to enroll computers: admjonesst1
>>>>> Synchronizing time with KDC...
>>>>> Unable to sync time with IPA NTP server, assuming the time is in sync.
>>>>> Password for admjonesst1 at ODS.VUW.AC.NZ:
>>>>>
>>>>> Enrolled in IPA realm ODS.VUW.AC.NZ
>>>>> Created /etc/ipa/default.conf
>>>>> Unable to activate the SSH service in SSSD config.
>>>>> Please make sure you have SSSD built with SSH support installed.
>>>>> Configure SSH support manually in /etc/sssd/sssd.conf.
>>>>> Configured /etc/sssd/sssd.conf
>>>>> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
>>>>> Traceback (most recent call last):
>>>>>     File "/usr/sbin/ipa-client-install", line 1534, in<module>
>>>>>       sys.exit(main())
>>>>>     File "/usr/sbin/ipa-client-install", line 1521, in main
>>>>>       rval = install(options, env, fstore, statestore)
>>>>>     File "/usr/sbin/ipa-client-install", line 1358, in install
>>>>>       api.Backend.xmlclient.connect()
>>>>>     File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect
>>>>>       conn = self.create_connection(*args, **kw)
>>>>>     File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection
>>>>>       raise errors.KerberosError(major=str(krberr), minor='')
>>>>> ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/
>>>>> [root at rhel664ws01 ~]#
>>>>> ===========
>>>>>
>>>>> Is this expected when trying to connect 6.3beta? ie its simply not compatible?
>>>>>
>>>> The newer 2.2 client cannot connect to an older 2.1 server because it
>>>> isn't going to send the TGT that the 2.1 server requires. We should
>>>> handle this better, I've opened a ticket to track this:
>>>> https://fedorahosted.org/freeipa/ticket/2697
>>>>
>>>> rob
>>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list