Bug 1015481 - client incompatible error message not shown on RHEL-65 ipa client
Summary: client incompatible error message not shown on RHEL-65 ipa client
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.5
Hardware: Unspecified
OS: Linux
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
Depends On:
Blocks: 1061410
TreeView+ depends on / blocked
Reported: 2013-10-04 11:11 UTC by Kaleem
Modified: 2018-12-09 17:12 UTC (History)
3 users (show)

Fixed In Version: ipa-3.0.0-38.el6
Doc Type: Known Issue
Doc Text:
Identity Management administration framework API contains two checks to verify that a request on its API can be passed further: 1. A check to see if the client API version is not higher than the server API version. If it is, the request is rejected. 2. A check to see if the client API request does not use an attribute or a parameter unknown to the server. If it does, the request is rejected. However, the Identity Management server performs the checks in an incorrect order: first, the attribute and parameter check is done and after that, the API version check is done. As a consequence, when a new client (for example, Red Hat Enterprise Linux 6.5) runs the ipa administration tool against a server with an earlier operating system (for example, Red Hat Enterprise Linux 6.4), the command returns a confusing error message; for example, instead of stating API compatibility, ipa outputs the following message: $ ipa user-show admin ipa: ERROR: Unknown option: no_members
Clone Of:
Last Closed: 2014-10-14 07:32:14 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1383 normal SHIPPED_LIVE ipa bug fix and enhancement update 2014-10-14 01:21:36 UTC

Description Kaleem 2013-10-04 11:11:48 UTC
Description of problem:

After successfully installing RHEL-65 ipa client (ipa-client-3.0.0-37) with RHEL-64 IPA server (ipa-server-3.0.0-26.el6_4.4),
When i tried to run ipa command on client, following error message shown instead of client incompatible error message

" ipa: ERROR: Unknown option: no_members "

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Install RHEL-65 ipa client (ipa-client-3.0.0-37) with RHEL-64 ipa server (ipa-server-3.0.0-26.el6_4.4).
2.Run following ipa command on client
   ipa user-show admin

Actual results:
[root@client65x86 ~]# ipa user-show admin
ipa: ERROR: Unknown option: no_members
[root@client65x86 ~]# 

Expected results:
# ipa user-show admin
ipa: ERROR: 2.49 client incompatible with 2.46 server at

Comment 2 Martin Kosek 2013-10-07 08:46:22 UTC
Upstream ticket:

Comment 6 Scott Poore 2014-04-10 22:31:49 UTC
FYI, I also see similar when testing RHEL7 clients with RHEL6.5 servers:

ipa: ERROR: 2.65 client incompatible with 2.49 server at u'https://nocp9.testrelm.test/ipa/xml'

Comment 7 Scott Poore 2014-04-11 12:36:28 UTC
FYI, Dev has confirmed that RHEL7 client to RHEL6.5 server won't work for "ipa" commands.  The design is "forward compatible" not "backward compatible".   6.5 clients to 7 servers should work but, my scenario will not.


Comment 11 Kaleem 2014-07-03 12:54:59 UTC
I tried on RHEL-6.6 client (build ipa-client-3.0.0-41.el6.x86_64) with RHEL-6.4 IPA server and found that issue is still there.

[root@hp-ms-01-c28 ~]# rpm -q ipa-client
[root@hp-ms-01-c28 ~]# ipa user-show admin
ipa: ERROR: Unknown option: no_members
[root@hp-ms-01-c28 ~]#

Comment 12 Kaleem 2014-08-11 16:04:24 UTC
Any update on this?

Comment 13 Martin Kosek 2014-08-11 17:07:43 UTC
Sorry, Comment 11 slipped between cracks. There was probably a misunderstanding of how the checks works.

The check itself is performed *on the server*. This means that only patched servers (RHEL-6.6 and later) will display the better error message. So for example, if we add a new option in RHEL-6.7 and RHEL-6.7 client would use it, RHEL-6.6 server would error out with the new message instead of "Unknown option" error.

As this fix is not reproducible right now, can it be only tested with SanityOnly, i.e. that user-show on RHEL-6.6 server works from the same or older IPA client?

Comment 14 Kaleem 2014-08-12 09:07:16 UTC
Verified SanityOnly.

[root@dhcp207-60 ~]# echo xxxxxxx|kinit admin
Password for admin@TESTRELM.TEST: 
[root@dhcp207-60 ~]# ipa user-show admin
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1572600000
  GID: 1572600000
  Account disabled: False
  Password: True
  Member of groups: admins, trust admins
  Kerberos keys available: True
[root@dhcp207-60 ~]# cat /etc/redhat-release ; rpm -q ipa-client
Red Hat Enterprise Linux Server release 6.5 (Santiago)
[root@dhcp207-60 ~]#

Comment 15 errata-xmlrpc 2014-10-14 07:32:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.