User reported problem using 2.2 ipa-client-install against a 2.1 server with this backtrace:
[root@rhel664ws01 ~]# ipa-client-install --mkhomedir
Discovery was successful!
DNS Domain: ods.vuw.ac.nz
IPA Server: vuwunicoipam002.ods.vuw.ac.nz
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admjonesst1
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Password for admjonesst1@ODS.VUW.AC.NZ:
Enrolled in IPA realm ODS.VUW.AC.NZ
Unable to activate the SSH service in SSSD config.
Please make sure you have SSSD built with SSH support installed.
Configure SSH support manually in /etc/sssd/sssd.conf.
Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 1534, in <module>
File "/usr/sbin/ipa-client-install", line 1521, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 1358, in install
File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect
conn = self.create_connection(*args, **kw)
File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection
raise errors.KerberosError(major=str(krberr), minor='')
ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/
I think this is probably because the 2.2 client doesn't send the TGT that the 2.1 server requires. We should catch this error and provide a better error message.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=817867
I will look into this. So far, I was able to log from current IPA 2.2 to old RHEL 6.2 server and no error was returned. Still working on reproducing this bug.
To test the patch:
Metadata Update from @rcritten:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/04
to comment on this ticket.