#4446 ipa-client-install fails with unsupported extended operation
Closed: Fixed None Opened 10 years ago by mkosek.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1118725

Description of problem:
# ipa-client-install
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

DNS domain 'virt' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.
Discovery was successful!
Hostname: rawhide.1.virt
Realm: VIRT
DNS Domain: 1.virt
IPA Server: fedora20.1.virt
BaseDN: dc=virt

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please
check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin@VIRT:
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=VIRT
    Issuer:      CN=Certificate Authority,O=VIRT
    Valid From:  Fri Jul 11 10:45:57 2014 UTC
    Valid Until: Tue Jul 11 10:45:57 2034 UTC

Joining realm failed: Failed to parse result! unsupported extended operation
Failed to get keytab
child exited with 9

Installation failed. Rolling back changes.
IPA client is not configured on this system.


Version-Release number of selected component (if applicable):
freeipa-server-3.3.5-1.fc20.x86_64
freeipa-client-4.0.0-1.fc21.x86_64



Steps to Reproduce:
1. run ipa-server-install on fedora20.1.virt
2. use basic simple setup with dns
3. run ipa-client-install on rawhide.1.virt

Actual results:


Expected results:


Additional info:

This reproduces pretty easily and it prevents FreeIPA 4.0.0 clients to join older servers. Simo or Nathaniel, could either of you please check this one as soon as possible?

Nathaniel is working on implementation, Alexander on a review. This should be fixed asap.

master:

  • 9698605 Fix ipa-getkeytab for pre-4.0 servers

ipa-4-1:

  • 9698605 Fix ipa-getkeytab for pre-4.0 servers

ipa-4-0:

  • 217aba7 Fix ipa-getkeytab for pre-4.0 servers

master:

  • 410da23 test_ipagetkeytab: Fix assertion in negative test

ipa-4-1:

  • 410da23 test_ipagetkeytab: Fix assertion in negative test

ipa-4-0:

  • 85493fa test_ipagetkeytab: Fix assertion in negative test

Metadata Update from @mkosek:
- Issue assigned to npmccallum
- Issue set to the milestone: FreeIPA 4.0.1

7 years ago

Log in to comment on this ticket.

Metadata