On 05/02/2012 05:54 PM, Steven Jones wrote: > Hi, > > BTW, is this advice in the admin guide? I would suggest its worth > stating..... >
Noted. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: [email protected] [[email protected]] on > behalf of Dmitri Pal [[email protected]] > Sent: Thursday, 3 May 2012 9:45 a.m. > To: [email protected] > Subject: Re: [Freeipa-users] ipa-client install error > > On 05/02/2012 05:29 PM, Steven Jones wrote: >> What is the impact of IPA not working properly? > You need to differentiate client system that uses IPA for identity > lookups and authentication and administrative station where you have > ipa-admintools package installed. It is not recommended to have this > package on the client side to be higher version than on the server. We > are currently fixing the issue for the client enrollment to work even if > you try to enroll later version of the ipa client with the earlier > version of the server but for ipa-admintools the general rule: upgrade > server first and then the client ipa-admintools package should continue > to apply. > > >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: Martin Kosek [[email protected]] >> Sent: Thursday, 3 May 2012 1:52 a.m. >> To: Rob Crittenden >> Cc: Steven Jones; [email protected] >> Subject: Re: [Freeipa-users] ipa-client install error >> >> On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote: >>> Steven Jones wrote: >>>> So this opens a chicken and egg? >>>> >>>> ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the >>>> older 6.2 clients will break? but I cant upgrade the clients until after >>>> the servers are done....if so that is a huge and ugly looking task that is >>>> one way.... >>> No, that's not the problem at all. Enrolled clients will work as >>> expected. New 6.3 clients can enroll with a 6.3 server. Based on the log >>> it looks like a 6.3 client can't enroll with a 6.2 server but I'm still >>> investigating. We'll fix it if needed. >>> >>> rob >> I just sent a patch for this issue to freeipa-devel list. The problem >> was in the TGT forwarding as mentioned earlier in this thread. The >> patched client can now join an older IPA server. But ipa command still >> won't work properly as its API is higher that the server's. >> >> Martin >> >> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> ________________________________________ >>>> From: Rob Crittenden [[email protected]] >>>> Sent: Wednesday, 2 May 2012 1:19 a.m. >>>> To: Steven Jones >>>> Cc: [email protected] >>>> Subject: Re: [Freeipa-users] ipa-client install error >>>> >>>> Steven Jones wrote: >>>>> I made a slight oops, I just upgraded a long un-used vm on my desktop >>>>> from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our >>>>> satellite is down I cant correct this so I tried to add the 6.3beta >>>>> client to IPA on 6.2 and I get an error. >>>>> >>>>> ============== >>>>> [root@rhel664ws01 ~]# ipa-client-install --mkhomedir >>>>> Discovery was successful! >>>>> Hostname: rhel664ws01.ods.vuw.ac.nz >>>>> Realm: ODS.VUW.AC.NZ >>>>> DNS Domain: ods.vuw.ac.nz >>>>> IPA Server: vuwunicoipam002.ods.vuw.ac.nz >>>>> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz >>>>> >>>>> >>>>> Continue to configure the system with these values? [no]: yes >>>>> User authorized to enroll computers: admjonesst1 >>>>> Synchronizing time with KDC... >>>>> Unable to sync time with IPA NTP server, assuming the time is in sync. >>>>> Password for [email protected]: >>>>> >>>>> Enrolled in IPA realm ODS.VUW.AC.NZ >>>>> Created /etc/ipa/default.conf >>>>> Unable to activate the SSH service in SSSD config. >>>>> Please make sure you have SSSD built with SSH support installed. >>>>> Configure SSH support manually in /etc/sssd/sssd.conf. >>>>> Configured /etc/sssd/sssd.conf >>>>> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ >>>>> Traceback (most recent call last): >>>>> File "/usr/sbin/ipa-client-install", line 1534, in<module> >>>>> sys.exit(main()) >>>>> File "/usr/sbin/ipa-client-install", line 1521, in main >>>>> rval = install(options, env, fstore, statestore) >>>>> File "/usr/sbin/ipa-client-install", line 1358, in install >>>>> api.Backend.xmlclient.connect() >>>>> File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, >>>>> in connect >>>>> conn = self.create_connection(*args, **kw) >>>>> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in >>>>> create_connection >>>>> raise errors.KerberosError(major=str(krberr), minor='') >>>>> ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos >>>>> credentials/ >>>>> [root@rhel664ws01 ~]# >>>>> =========== >>>>> >>>>> Is this expected when trying to connect 6.3beta? ie its simply not >>>>> compatible? >>>>> >>>> The newer 2.2 client cannot connect to an older 2.1 server because it >>>> isn't going to send the TGT that the 2.1 server requires. We should >>>> handle this better, I've opened a ticket to track this: >>>> https://fedorahosted.org/freeipa/ticket/2697 >>>> >>>> rob >>>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
