Bug 1089015 - RHEL7 IPA client doesnt work with RHEL6 IDM server
Summary: RHEL7 IPA client doesnt work with RHEL6 IDM server
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-04-17 16:51 UTC by jeremy.kister+redhat
Modified: 2014-04-24 06:27 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-04-24 06:27:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description jeremy.kister+redhat 2014-04-17 16:51:22 UTC 
Description of problem:

RHEL7 IPA client doesn't work with RHEL6 IDM server


Version-Release number of selected component (if applicable):

RHEL7 client: ipa-client-3.3.3-5.el7.x86_64
RHEL6 server: ipa-server-3.0.0-37.el6.x86_64

How reproducible:


Steps to Reproduce:
1. set up ipa-server on RHEL6
2. set up ipa-client on RHEL7
3. subscribe RHEL7 IDM client to RHEL6 IDM server

Actual results:

[root@www2 ~]# ipa user-find example ipa: ERROR: 2.65 client incompatible with 2.49 server at u'https://idm1.example.com/ipa/xml'


Expected results:

[root@www2 etc]# ipa user-find example
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------


Additional info:

changing API_VERSION=u'2.49' in /usr/lib/python2.7/site-packages/ipapython/version.py fixes/hides the problem.
Comment 2 Martin Kosek 2014-04-18 06:44:59 UTC 
Hello Jeremy, this is expected behavior. *ipa management tool* only maintains forward compatibility. Other client functionality (read SSSD) is of course backward compatible. You will get identity, authentication, authorization or policy services on your RHEL-7 IPA client connected to RHEL-6 IPA server.

As this is a common question, I created a wiki article about it on upstream wiki:
http://www.freeipa.org/page/Client#Compatibility
Comment 3 jeremy.kister+redhat 2014-04-18 14:55:52 UTC 
hi martin, that's good information.  as i would imagine most noobs to rhel7 will be running the new ipa client on rhel6 servers, do you think it's worth adding a "--dont-protect-me-from-myself" flag to ipa ?  if all we want to do is use the tool to verify ipa is configured properly on the client, an "ipa --dont-protect-me-from-myself user-find username" is probably an acceptable query.
Comment 4 Martin Kosek 2014-04-18 15:09:40 UTC 
"ipa" is really just a management command to objects in FreeIPA. It is not something that regular FreeIPA users need to use or have on their client machines.

If you want to check that FreeIPA client services (identity, authentication, authorization or central policies like sudo), it is better to try them directly instead of calling FreeIPA management command:

$ id $SOME_IPA_USER
$ kinit $SOME_IPA_USER
$ klist

... something like that. I think you are more or less looking for a client troubleshooting tool (RFE filed in https://fedorahosted.org/freeipa/ticket/4008).
Comment 5 Dmitri Pal 2014-04-23 22:49:40 UTC 
I would say that this specific issue would be CLOSED WONTFIX. Any objections?
Comment 6 Martin Kosek 2014-04-24 06:27:33 UTC 
I saw not further update from Jeremy so I assume there are no objections. This is not something that FreeIPA should fix.

Closing as WONTFIX.
Note You need to log in before you can comment on or make changes to this bug.