On 05/01/2012 06:15 PM, Steven Jones wrote:
> So this opens a chicken and egg?
> ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the
> older 6.2 clients will break? but I cant upgrade the clients until after the
> servers are done....if so that is a huge and ugly looking task that is one
Yes this is a serious problem. Thank you for uncovering it.
Current plan is to: provide a fix for the older clients to be able to
connect to 2.2 via errata.
Make sure that the 2.2 client can connect to the 2.1 server.
> Steven Jones
> Technical Specialist - Linux RHCE
> Victoria University, Wellington, NZ
> 0064 4 463 6272
> From: Rob Crittenden [rcrit...@redhat.com]
> Sent: Wednesday, 2 May 2012 1:19 a.m.
> To: Steven Jones
> Cc: firstname.lastname@example.org
> Subject: Re: [Freeipa-users] ipa-client install error
> Steven Jones wrote:
>> I made a slight oops, I just upgraded a long un-used vm on my desktop from
>> 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is
>> down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2
>> and I get an error.
>> [root@rhel664ws01 ~]# ipa-client-install --mkhomedir
>> Discovery was successful!
>> Hostname: rhel664ws01.ods.vuw.ac.nz
>> Realm: ODS.VUW.AC.NZ
>> DNS Domain: ods.vuw.ac.nz
>> IPA Server: vuwunicoipam002.ods.vuw.ac.nz
>> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz
>> Continue to configure the system with these values? [no]: yes
>> User authorized to enroll computers: admjonesst1
>> Synchronizing time with KDC...
>> Unable to sync time with IPA NTP server, assuming the time is in sync.
>> Password for admjones...@ods.vuw.ac.nz:
>> Enrolled in IPA realm ODS.VUW.AC.NZ
>> Created /etc/ipa/default.conf
>> Unable to activate the SSH service in SSSD config.
>> Please make sure you have SSSD built with SSH support installed.
>> Configure SSH support manually in /etc/sssd/sssd.conf.
>> Configured /etc/sssd/sssd.conf
>> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
>> Traceback (most recent call last):
>> File "/usr/sbin/ipa-client-install", line 1534, in<module>
>> File "/usr/sbin/ipa-client-install", line 1521, in main
>> rval = install(options, env, fstore, statestore)
>> File "/usr/sbin/ipa-client-install", line 1358, in install
>> File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in
>> conn = self.create_connection(*args, **kw)
>> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in
>> raise errors.KerberosError(major=str(krberr), minor='')
>> ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos
>> [root@rhel664ws01 ~]#
>> Is this expected when trying to connect 6.3beta? ie its simply not
> The newer 2.2 client cannot connect to an older 2.1 server because it
> isn't going to send the TGT that the 2.1 server requires. We should
> handle this better, I've opened a ticket to track this:
> Freeipa-users mailing list
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list