Bug 1015481 - client incompatible error message not shown on RHEL-65 ipa client
client incompatible error message not shown on RHEL-65 ipa client
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.5
Unspecified Linux
medium Severity unspecified
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
:
Depends On:
Blocks: 1061410
  Show dependency treegraph
 
Reported: 2013-10-04 07:11 EDT by Kaleem
Modified: 2014-10-14 03:32 EDT (History)
3 users (show)

See Also:
Fixed In Version: ipa-3.0.0-38.el6
Doc Type: Known Issue
Doc Text:
Identity Management administration framework API contains two checks to verify that a request on its API can be passed further: 1. A check to see if the client API version is not higher than the server API version. If it is, the request is rejected. 2. A check to see if the client API request does not use an attribute or a parameter unknown to the server. If it does, the request is rejected. However, the Identity Management server performs the checks in an incorrect order: first, the attribute and parameter check is done and after that, the API version check is done. As a consequence, when a new client (for example, Red Hat Enterprise Linux 6.5) runs the ipa administration tool against a server with an earlier operating system (for example, Red Hat Enterprise Linux 6.4), the command returns a confusing error message; for example, instead of stating API compatibility, ipa outputs the following message: $ ipa user-show admin ipa: ERROR: Unknown option: no_members
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-14 03:32:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kaleem 2013-10-04 07:11:48 EDT
Description of problem:

After successfully installing RHEL-65 ipa client (ipa-client-3.0.0-37) with RHEL-64 IPA server (ipa-server-3.0.0-26.el6_4.4),
When i tried to run ipa command on client, following error message shown instead of client incompatible error message

" ipa: ERROR: Unknown option: no_members "

Version-Release number of selected component (if applicable):
ipa-client-3.0.0-37
ipa-server-3.0.0-26.el6_4.4

How reproducible:
Always

Steps to Reproduce:
1.Install RHEL-65 ipa client (ipa-client-3.0.0-37) with RHEL-64 ipa server (ipa-server-3.0.0-26.el6_4.4).
2.Run following ipa command on client
   ipa user-show admin

Actual results:
[root@client65x86 ~]# ipa user-show admin
ipa: ERROR: Unknown option: no_members
[root@client65x86 ~]# 

Expected results:
# ipa user-show admin
ipa: ERROR: 2.49 client incompatible with 2.46 server at
u'https://vm-201.idm.lab.eng.brq.redhat.com/ipa/xml'
Comment 2 Martin Kosek 2013-10-07 04:46:22 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3963
Comment 6 Scott Poore 2014-04-10 18:31:49 EDT
FYI, I also see similar when testing RHEL7 clients with RHEL6.5 servers:

ipa: ERROR: 2.65 client incompatible with 2.49 server at u'https://nocp9.testrelm.test/ipa/xml'
Comment 7 Scott Poore 2014-04-11 08:36:28 EDT
FYI, Dev has confirmed that RHEL7 client to RHEL6.5 server won't work for "ipa" commands.  The design is "forward compatible" not "backward compatible".   6.5 clients to 7 servers should work but, my scenario will not.

Regards.
Comment 11 Kaleem 2014-07-03 08:54:59 EDT
I tried on RHEL-6.6 client (build ipa-client-3.0.0-41.el6.x86_64) with RHEL-6.4 IPA server and found that issue is still there.

[root@hp-ms-01-c28 ~]# rpm -q ipa-client
ipa-client-3.0.0-41.el6.x86_64
[root@hp-ms-01-c28 ~]# ipa user-show admin
ipa: ERROR: Unknown option: no_members
[root@hp-ms-01-c28 ~]#
Comment 12 Kaleem 2014-08-11 12:04:24 EDT
Any update on this?
Comment 13 Martin Kosek 2014-08-11 13:07:43 EDT
Sorry, Comment 11 slipped between cracks. There was probably a misunderstanding of how the checks works.

The check itself is performed *on the server*. This means that only patched servers (RHEL-6.6 and later) will display the better error message. So for example, if we add a new option in RHEL-6.7 and RHEL-6.7 client would use it, RHEL-6.6 server would error out with the new message instead of "Unknown option" error.

As this fix is not reproducible right now, can it be only tested with SanityOnly, i.e. that user-show on RHEL-6.6 server works from the same or older IPA client?
Comment 14 Kaleem 2014-08-12 05:07:16 EDT
Verified SanityOnly.

[root@dhcp207-60 ~]# echo xxxxxxx|kinit admin
Password for admin@TESTRELM.TEST: 
[root@dhcp207-60 ~]# ipa user-show admin
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1572600000
  GID: 1572600000
  Account disabled: False
  Password: True
  Member of groups: admins, trust admins
  Kerberos keys available: True
[root@dhcp207-60 ~]# cat /etc/redhat-release ; rpm -q ipa-client
Red Hat Enterprise Linux Server release 6.5 (Santiago)
ipa-client-3.0.0-37.el6.x86_64
[root@dhcp207-60 ~]#
Comment 15 errata-xmlrpc 2014-10-14 03:32:14 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1383.html

Note You need to log in before you can comment on or make changes to this bug.