Bug 1009024 - SSH key upload broken when client joins an older server
SSH key upload broken when client joins an older server
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-17 10:05 EDT by Martin Kosek
Modified: 2014-06-17 20:11 EDT (History)
3 users (show)

See Also:
Fixed In Version: ipa-3.3.2-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 06:32:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Kosek 2013-09-17 10:05:09 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3931

As `ipa-client-install` is using API host-mod command to modify host and add SSH keys, it always fails to add the key if the client is of a newer version than the server (which will be a very common scenario given that server should be more stable than most of the clients):

{{{
# ipa-client-install -p admin -w Secret123 --mkhomedir --enable-dns-updates --force-join --force-ntpd
Discovery was successful!
Hostname: vm-052.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: vm-086.example.com
BaseDN: dc=example,dc=com

Continue to configure the system with these values? [no]: y
Synchronizing time with KDC...
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
    Valid From:  Mon Sep 09 06:56:05 2013 UTC
    Valid Until: Fri Sep 09 06:56:05 2033 UTC

Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
DNS server record set to: vm-052.example.com -> 10.16.78.52

Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
host_mod: 2.65 client incompatible with 2.49 server at u'https://vm-086.example.com/ipa/xml'

Failed to upload host SSH public keys.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
}}}

We should do just an LDAP modify operation instead.
Comment 3 Xiyang Dong 2014-01-29 08:40:16 EST
Verified on :
ipa-server-3.0.0-25.el6.x86_64
ipa-client-3.3.3-10.el7.x86_64

[root@70client ~]# ipa-client-install -p admin -w Secret123 --mkhomedir --enable-dns-updates --force-join --force-ntpd
Discovery was successful!
Hostname: 70client.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: 64master.testrelm.com
BaseDN: dc=testrelm,dc=com

Continue to configure the system with these values? [no]: y
Synchronizing time with KDC...
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.COM
    Issuer:      CN=Certificate Authority,O=TESTRELM.COM
    Valid From:  Wed Jan 29 01:46:45 2014 UTC
    Valid Until: Sun Jan 29 01:46:45 2034 UTC

Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
Hostname (70client.testrelm.com) not found in DNS
DNS server record set to: 70client.testrelm.com -> 10.16.185.22
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
Comment 4 Ludek Smid 2014-06-13 06:32:27 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.