Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3931
As `ipa-client-install` is using API host-mod command to modify host and add SSH keys, it always fails to add the key if the client is of a newer version than the server (which will be a very common scenario given that server should be more stable than most of the clients):
{{{
# ipa-client-install -p admin -w Secret123 --mkhomedir --enable-dns-updates --force-join --force-ntpd
Discovery was successful!
Hostname: vm-052.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: vm-086.example.com
BaseDN: dc=example,dc=com
Continue to configure the system with these values? [no]: y
Synchronizing time with KDC...
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: Mon Sep 09 06:56:05 2013 UTC
Valid Until: Fri Sep 09 06:56:05 2033 UTC
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
DNS server record set to: vm-052.example.com -> 10.16.78.52
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
host_mod: 2.65 client incompatible with 2.49 server at u'https://vm-086.example.com/ipa/xml'
Failed to upload host SSH public keys.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
}}}
We should do just an LDAP modify operation instead.
Comment 1Petr Viktorin (pviktori)
2013-10-04 13:37:55 UTC
Verified on :
ipa-server-3.0.0-25.el6.x86_64
ipa-client-3.3.3-10.el7.x86_64
[root@70client ~]# ipa-client-install -p admin -w Secret123 --mkhomedir --enable-dns-updates --force-join --force-ntpd
Discovery was successful!
Hostname: 70client.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: 64master.testrelm.com
BaseDN: dc=testrelm,dc=com
Continue to configure the system with these values? [no]: y
Synchronizing time with KDC...
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=TESTRELM.COM
Issuer: CN=Certificate Authority,O=TESTRELM.COM
Valid From: Wed Jan 29 01:46:45 2014 UTC
Valid Until: Sun Jan 29 01:46:45 2034 UTC
Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
Hostname (70client.testrelm.com) not found in DNS
DNS server record set to: 70client.testrelm.com -> 10.16.185.22
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
This request was resolved in Red Hat Enterprise Linux 7.0.
Contact your manager or support representative in case you have further questions about the request.