RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1015481 - client incompatible error message not shown on RHEL-65 ipa client
Summary: client incompatible error message not shown on RHEL-65 ipa client
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.5
Hardware: Unspecified
OS: Linux
medium
unspecified
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks: 1061410
TreeView+ depends on / blocked
 
Reported: 2013-10-04 11:11 UTC by Kaleem
Modified: 2018-12-09 17:12 UTC (History)
3 users (show)

Fixed In Version: ipa-3.0.0-38.el6
Doc Type: Known Issue
Doc Text:
Identity Management administration framework API contains two checks to verify that a request on its API can be passed further: 1. A check to see if the client API version is not higher than the server API version. If it is, the request is rejected. 2. A check to see if the client API request does not use an attribute or a parameter unknown to the server. If it does, the request is rejected. However, the Identity Management server performs the checks in an incorrect order: first, the attribute and parameter check is done and after that, the API version check is done. As a consequence, when a new client (for example, Red Hat Enterprise Linux 6.5) runs the ipa administration tool against a server with an earlier operating system (for example, Red Hat Enterprise Linux 6.4), the command returns a confusing error message; for example, instead of stating API compatibility, ipa outputs the following message: $ ipa user-show admin ipa: ERROR: Unknown option: no_members
Clone Of:
Environment:
Last Closed: 2014-10-14 07:32:14 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1383 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2014-10-14 01:21:36 UTC

Description Kaleem 2013-10-04 11:11:48 UTC 
Description of problem:

After successfully installing RHEL-65 ipa client (ipa-client-3.0.0-37) with RHEL-64 IPA server (ipa-server-3.0.0-26.el6_4.4),
When i tried to run ipa command on client, following error message shown instead of client incompatible error message

" ipa: ERROR: Unknown option: no_members "

Version-Release number of selected component (if applicable):
ipa-client-3.0.0-37
ipa-server-3.0.0-26.el6_4.4

How reproducible:
Always

Steps to Reproduce:
1.Install RHEL-65 ipa client (ipa-client-3.0.0-37) with RHEL-64 ipa server (ipa-server-3.0.0-26.el6_4.4).
2.Run following ipa command on client
   ipa user-show admin

Actual results:
[root@client65x86 ~]# ipa user-show admin
ipa: ERROR: Unknown option: no_members
[root@client65x86 ~]# 

Expected results:
# ipa user-show admin
ipa: ERROR: 2.49 client incompatible with 2.46 server at
u'https://vm-201.idm.lab.eng.brq.redhat.com/ipa/xml'
Comment 2 Martin Kosek 2013-10-07 08:46:22 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3963
Comment 6 Scott Poore 2014-04-10 22:31:49 UTC 
FYI, I also see similar when testing RHEL7 clients with RHEL6.5 servers:

ipa: ERROR: 2.65 client incompatible with 2.49 server at u'https://nocp9.testrelm.test/ipa/xml'
Comment 7 Scott Poore 2014-04-11 12:36:28 UTC 
FYI, Dev has confirmed that RHEL7 client to RHEL6.5 server won't work for "ipa" commands.  The design is "forward compatible" not "backward compatible".   6.5 clients to 7 servers should work but, my scenario will not.

Regards.
Comment 8 Martin Kosek 2014-06-13 10:11:52 UTC 
Fixed upstream:
ipa-3-0:
https://fedorahosted.org/freeipa/changeset/220539a3653b15e4f5679b53cab8e601abaf8990

ipa-3-1:
https://fedorahosted.org/freeipa/changeset/98f5abe37461844b42989766caee525c0d8864f8

ipa-3-2:
https://fedorahosted.org/freeipa/changeset/b4d2637fc43798669b8ea1bc6fe0f851fd30401a

ipa-3-3:
https://fedorahosted.org/freeipa/changeset/7486140e00c2f1e119250fb69040864fa902290d
Comment 9 Martin Kosek 2014-06-13 12:17:59 UTC 
master:
https://fedorahosted.org/freeipa/changeset/ba53299b98977308966039fad9518c79296bccbf
Comment 11 Kaleem 2014-07-03 12:54:59 UTC 
I tried on RHEL-6.6 client (build ipa-client-3.0.0-41.el6.x86_64) with RHEL-6.4 IPA server and found that issue is still there.

[root@hp-ms-01-c28 ~]# rpm -q ipa-client
ipa-client-3.0.0-41.el6.x86_64
[root@hp-ms-01-c28 ~]# ipa user-show admin
ipa: ERROR: Unknown option: no_members
[root@hp-ms-01-c28 ~]#
Comment 12 Kaleem 2014-08-11 16:04:24 UTC 
Any update on this?
Comment 13 Martin Kosek 2014-08-11 17:07:43 UTC 
Sorry, Comment 11 slipped between cracks. There was probably a misunderstanding of how the checks works.

The check itself is performed *on the server*. This means that only patched servers (RHEL-6.6 and later) will display the better error message. So for example, if we add a new option in RHEL-6.7 and RHEL-6.7 client would use it, RHEL-6.6 server would error out with the new message instead of "Unknown option" error.

As this fix is not reproducible right now, can it be only tested with SanityOnly, i.e. that user-show on RHEL-6.6 server works from the same or older IPA client?
Comment 14 Kaleem 2014-08-12 09:07:16 UTC 
Verified SanityOnly.

[root@dhcp207-60 ~]# echo xxxxxxx|kinit admin
Password for admin: 
[root@dhcp207-60 ~]# ipa user-show admin
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1572600000
  GID: 1572600000
  Account disabled: False
  Password: True
  Member of groups: admins, trust admins
  Kerberos keys available: True
[root@dhcp207-60 ~]# cat /etc/redhat-release ; rpm -q ipa-client
Red Hat Enterprise Linux Server release 6.5 (Santiago)
ipa-client-3.0.0-37.el6.x86_64
[root@dhcp207-60 ~]#
Comment 15 errata-xmlrpc 2014-10-14 07:32:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1383.html
Note You need to log in before you can comment on or make changes to this bug.