Red Hat Bugzilla – Bug 1009024
SSH key upload broken when client joins an older server
Last modified: 2014-06-17 20:11:53 EDT
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/3931 As `ipa-client-install` is using API host-mod command to modify host and add SSH keys, it always fails to add the key if the client is of a newer version than the server (which will be a very common scenario given that server should be more stable than most of the clients): {{{ # ipa-client-install -p admin -w Secret123 --mkhomedir --enable-dns-updates --force-join --force-ntpd Discovery was successful! Hostname: vm-052.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: vm-086.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: y Synchronizing time with KDC... Successfully retrieved CA cert Subject: CN=Certificate Authority,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Valid From: Mon Sep 09 06:56:05 2013 UTC Valid Until: Fri Sep 09 06:56:05 2033 UTC Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM DNS server record set to: vm-052.example.com -> 10.16.78.52 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub host_mod: 2.65 client incompatible with 2.49 server at u'https://vm-086.example.com/ipa/xml' Failed to upload host SSH public keys. SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. }}} We should do just an LDAP modify operation instead.
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/5824a0e14e73f8d13a93ccccf1b5213488ff9eaa ipa-3-3: https://fedorahosted.org/freeipa/changeset/96ab7002ac2acfc129dd73f1fc9b023a6fbf3723
Verified on : ipa-server-3.0.0-25.el6.x86_64 ipa-client-3.3.3-10.el7.x86_64 [root@70client ~]# ipa-client-install -p admin -w Secret123 --mkhomedir --enable-dns-updates --force-join --force-ntpd Discovery was successful! Hostname: 70client.testrelm.com Realm: TESTRELM.COM DNS Domain: testrelm.com IPA Server: 64master.testrelm.com BaseDN: dc=testrelm,dc=com Continue to configure the system with these values? [no]: y Synchronizing time with KDC... Successfully retrieved CA cert Subject: CN=Certificate Authority,O=TESTRELM.COM Issuer: CN=Certificate Authority,O=TESTRELM.COM Valid From: Wed Jan 29 01:46:45 2014 UTC Valid Until: Sun Jan 29 01:46:45 2034 UTC Enrolled in IPA realm TESTRELM.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TESTRELM.COM Hostname (70client.testrelm.com) not found in DNS DNS server record set to: 70client.testrelm.com -> 10.16.185.22 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete.
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.