#2697 ipa-client-install may fail joining older server
Closed: Fixed None Opened 7 years ago by rcritten.

User reported problem using 2.2 ipa-client-install against a 2.1 server with this backtrace:

[root@rhel664ws01 ~]# ipa-client-install --mkhomedir
Discovery was successful!
Hostname: rhel664ws01.ods.vuw.ac.nz
DNS Domain: ods.vuw.ac.nz
IPA Server: vuwunicoipam002.ods.vuw.ac.nz
BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admjonesst1
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Password for admjonesst1@ODS.VUW.AC.NZ:

Enrolled in IPA realm ODS.VUW.AC.NZ
Created /etc/ipa/default.conf
Unable to activate the SSH service in SSSD config.
Please make sure you have SSSD built with SSH support installed.
Configure SSH support manually in /etc/sssd/sssd.conf.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 1534, in <module>
  File "/usr/sbin/ipa-client-install", line 1521, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 1358, in install
  File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect
    conn = self.create_connection(*args, **kw)
  File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection
    raise errors.KerberosError(major=str(krberr), minor='')
ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/

I think this is probably because the 2.2 client doesn't send the TGT that the 2.1 server requires. We should catch this error and provide a better error message.

I will look into this. So far, I was able to log from current IPA 2.2 to old RHEL 6.2 server and no error was returned. Still working on reproducing this bug.

To test the patch:

  1. Install IPA server with DNS support
  2. Install IPA replica for the server (so that there are 2 SRV records for the IPA server)
  3. Configure client machine to use DNS from IPA server so that it reads the SRV records
  4. Run ipa-client-install as in the bug description

Metadata Update from @rcritten:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/04

2 years ago

Login to comment on this ticket.