User reported problem using 2.2 ipa-client-install against a 2.1 server with this backtrace:
[root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjonesst1@ODS.VUW.AC.NZ: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1534, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 1521, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 1358, in install api.Backend.xmlclient.connect() File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/
I think this is probably because the 2.2 client doesn't send the TGT that the 2.1 server requires. We should catch this error and provide a better error message.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=817867
I will look into this. So far, I was able to log from current IPA 2.2 to old RHEL 6.2 server and no error was returned. Still working on reproducing this bug.
To test the patch:
master: b8f30bc
ipa-2-2: 1267d57
Metadata Update from @rcritten: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/04
Login to comment on this ticket.