Bug 1015481

Summary: client incompatible error message not shown on RHEL-65 ipa client
Product: Red Hat Enterprise Linux 6 Reporter: Kaleem <ksiddiqu>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.5CC: mkosek, rcritten, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-3.0.0-38.el6 Doc Type: Known Issue
Doc Text:
Identity Management administration framework API contains two checks to verify that a request on its API can be passed further: 1. A check to see if the client API version is not higher than the server API version. If it is, the request is rejected. 2. A check to see if the client API request does not use an attribute or a parameter unknown to the server. If it does, the request is rejected. However, the Identity Management server performs the checks in an incorrect order: first, the attribute and parameter check is done and after that, the API version check is done. As a consequence, when a new client (for example, Red Hat Enterprise Linux 6.5) runs the ipa administration tool against a server with an earlier operating system (for example, Red Hat Enterprise Linux 6.4), the command returns a confusing error message; for example, instead of stating API compatibility, ipa outputs the following message: $ ipa user-show admin ipa: ERROR: Unknown option: no_members
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 07:32:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1061410    

Description Kaleem 2013-10-04 11:11:48 UTC 
Description of problem:

After successfully installing RHEL-65 ipa client (ipa-client-3.0.0-37) with RHEL-64 IPA server (ipa-server-3.0.0-26.el6_4.4),
When i tried to run ipa command on client, following error message shown instead of client incompatible error message

" ipa: ERROR: Unknown option: no_members "

Version-Release number of selected component (if applicable):
ipa-client-3.0.0-37
ipa-server-3.0.0-26.el6_4.4

How reproducible:
Always

Steps to Reproduce:
1.Install RHEL-65 ipa client (ipa-client-3.0.0-37) with RHEL-64 ipa server (ipa-server-3.0.0-26.el6_4.4).
2.Run following ipa command on client
   ipa user-show admin

Actual results:
[root@client65x86 ~]# ipa user-show admin
ipa: ERROR: Unknown option: no_members
[root@client65x86 ~]# 

Expected results:
# ipa user-show admin
ipa: ERROR: 2.49 client incompatible with 2.46 server at
u'https://vm-201.idm.lab.eng.brq.redhat.com/ipa/xml'
Comment 2 Martin Kosek 2013-10-07 08:46:22 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3963
Comment 6 Scott Poore 2014-04-10 22:31:49 UTC 
FYI, I also see similar when testing RHEL7 clients with RHEL6.5 servers:

ipa: ERROR: 2.65 client incompatible with 2.49 server at u'https://nocp9.testrelm.test/ipa/xml'
Comment 7 Scott Poore 2014-04-11 12:36:28 UTC 
FYI, Dev has confirmed that RHEL7 client to RHEL6.5 server won't work for "ipa" commands.  The design is "forward compatible" not "backward compatible".   6.5 clients to 7 servers should work but, my scenario will not.

Regards.
Comment 8 Martin Kosek 2014-06-13 10:11:52 UTC 
Fixed upstream:
ipa-3-0:
https://fedorahosted.org/freeipa/changeset/220539a3653b15e4f5679b53cab8e601abaf8990

ipa-3-1:
https://fedorahosted.org/freeipa/changeset/98f5abe37461844b42989766caee525c0d8864f8

ipa-3-2:
https://fedorahosted.org/freeipa/changeset/b4d2637fc43798669b8ea1bc6fe0f851fd30401a

ipa-3-3:
https://fedorahosted.org/freeipa/changeset/7486140e00c2f1e119250fb69040864fa902290d
Comment 9 Martin Kosek 2014-06-13 12:17:59 UTC 
master:
https://fedorahosted.org/freeipa/changeset/ba53299b98977308966039fad9518c79296bccbf
Comment 11 Kaleem 2014-07-03 12:54:59 UTC 
I tried on RHEL-6.6 client (build ipa-client-3.0.0-41.el6.x86_64) with RHEL-6.4 IPA server and found that issue is still there.

[root@hp-ms-01-c28 ~]# rpm -q ipa-client
ipa-client-3.0.0-41.el6.x86_64
[root@hp-ms-01-c28 ~]# ipa user-show admin
ipa: ERROR: Unknown option: no_members
[root@hp-ms-01-c28 ~]#
Comment 12 Kaleem 2014-08-11 16:04:24 UTC 
Any update on this?
Comment 13 Martin Kosek 2014-08-11 17:07:43 UTC 
Sorry, Comment 11 slipped between cracks. There was probably a misunderstanding of how the checks works.

The check itself is performed *on the server*. This means that only patched servers (RHEL-6.6 and later) will display the better error message. So for example, if we add a new option in RHEL-6.7 and RHEL-6.7 client would use it, RHEL-6.6 server would error out with the new message instead of "Unknown option" error.

As this fix is not reproducible right now, can it be only tested with SanityOnly, i.e. that user-show on RHEL-6.6 server works from the same or older IPA client?
Comment 14 Kaleem 2014-08-12 09:07:16 UTC 
Verified SanityOnly.

[root@dhcp207-60 ~]# echo xxxxxxx|kinit admin
Password for admin: 
[root@dhcp207-60 ~]# ipa user-show admin
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1572600000
  GID: 1572600000
  Account disabled: False
  Password: True
  Member of groups: admins, trust admins
  Kerberos keys available: True
[root@dhcp207-60 ~]# cat /etc/redhat-release ; rpm -q ipa-client
Red Hat Enterprise Linux Server release 6.5 (Santiago)
ipa-client-3.0.0-37.el6.x86_64
[root@dhcp207-60 ~]#
Comment 15 errata-xmlrpc 2014-10-14 07:32:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1383.html