As ipa-client-install is using API host-mod command to modify host and add SSH keys, it always fails to add the key if the client is of a newer version than the server (which will be a very common scenario given that server should be more stable than most of the clients):
ipa-client-install
# ipa-client-install -p admin -w Secret123 --mkhomedir --enable-dns-updates --force-join --force-ntpd Discovery was successful! Hostname: vm-052.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: vm-086.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: y Synchronizing time with KDC... Successfully retrieved CA cert Subject: CN=Certificate Authority,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Valid From: Mon Sep 09 06:56:05 2013 UTC Valid Until: Fri Sep 09 06:56:05 2033 UTC Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM DNS server record set to: vm-052.example.com -> 10.16.78.52 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub host_mod: 2.65 client incompatible with 2.49 server at u'https://vm-086.example.com/ipa/xml' Failed to upload host SSH public keys. SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete.
We should do just an LDAP modify operation instead.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1009024
Alternatively, we can use the JSON API directly, with a lower API version. This would mean (future versions of) the server can apply any host-mod logic (or even fail to upload the keys if we need to break compatibility).
host-mod
master:
ipa-3-3:
The patches fix an additional bug where ipa-client-install would fail on servers without S4U2Proxy delegation (before IPA 2.2).
Metadata Update from @mkosek: - Issue assigned to pviktori - Issue set to the milestone: FreeIPA 3.3.x - 2013/09 (bug fixing)
Login to comment on this ticket.