Martin Kosek wrote:
On Wed, 2012-05-02 at 10:32 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
Testing instructions included in the ticket.
IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.

This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled

Still working on testing this, just a couple of initial comments.

I'd like to see the second and 3rd exceptions be logged as well as
printed to stderr (this is a common problem in ipa-client-install, we
don't log as much as we should).

Will it be confusing to print the bit about S4U2Proxy? I think
simplyfing as "you are running a new client than the IPA server so some
capabilities may not be available" or something like that.


The attached patch has a better error reporting and logging. I also
added user realm to keytab kinit as you suggested on IRC, it should make
the kinit more bullet-proof.


ACK, pushed to master and ipa-2-2


Freeipa-devel mailing list

Reply via email to