Hide Forgot
Description of problem: Install IPA Server 4.2 and join client with IPA Client 4.4 If user invoke any unsupported command on client, then it triggers following error message # kdestroy -A # kinit admin Password for admin@TESTRELM.TEST: # klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@TESTRELM.TEST Valid starting Expires Service principal 07/18/2016 16:05:10 07/19/2016 16:05:08 krbtgt/TESTRELM.TEST@TESTRELM.TEST # ipa -vvv ca-add ipa: INFO: trying https://dhcp201-172.testrelm.test/ipa/json ipa: INFO: Forwarding 'schema' to json server 'https://dhcp201-172.testrelm.test/ipa/json' ipa: INFO: trying https://dhcp201-172.testrelm.test/ipa/json ipa: INFO: Forwarding 'env' to json server 'https://dhcp201-172.testrelm.test/ipa/json' <snip> </snip> ipa: INFO: operation aborted # rpm -q ipa-client ipa-client-4.4.0-2.1.el7.x86_64 File /var/log/httpd/error_log on Server contains [Mon Jul 18 06:34:01.725121 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS [Mon Jul 18 06:34:08.872626 2016] [:error] [pid 7023] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: schema: CommandError [Mon Jul 18 06:34:08.958584 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS [Mon Jul 18 06:34:17.307152 2016] [:error] [pid 7023] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: schema: CommandError [Mon Jul 18 06:34:17.392404 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS [Mon Jul 18 06:34:37.415954 2016] [:error] [pid 7023] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: schema: CommandError [Mon Jul 18 06:34:37.666269 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS [Mon Jul 18 06:34:45.663847 2016] [:error] [pid 7023] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: schema: CommandError [Mon Jul 18 06:34:45.765081 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS Version-Release number of selected component (if applicable): IPA Server = ipa-server-4.2.0-15.el7_2.17.x86_64 IPA Client = ipa-client-4.4.0-2.1.el7.x86_64 How reproducible: 100% Actual results: Command goes in infinite loop. Expected results: Command should warn about non-availability of feature or command ipa: ERROR: unknown command 'ca-add' or something similar
root cause sounds similar to https://fedorahosted.org/freeipa/ticket/6089, Honza, do you want to clone this or just link it?
Petr, clone please, this is not related to #6089.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6095
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6069
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/47a693d17430e82787d9704637c022a2fcac531a https://fedorahosted.org/freeipa/changeset/229e2a1ed9ea9877cb5e879fadd99f9040f77c96
Following are some observations while using IPA 4.4 client with IPA 4.2 server [root@vm-idm-010 ~]# ipa -v commands ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ^Cexception in SSLSocket.auth_certificate_func Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line 43, in auth_certificate_callback def auth_certificate_callback(sock, check_sig, is_server, certdb): KeyboardInterrupt ipa: ERROR: cannot connect to 'https://vm-idm-003.testrelm.test/ipa/session/json': (SEC_ERROR_EXTENSION_NOT_FOUND) Certificate extension not found. [root@vm-idm-010 ~]# ipa -v ca-add/1 ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ^C ipa: INFO: operation aborted
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6e6cbda036559e741ead0ab5ba18b0be0b41621e
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ec2401917456d6f643532c0d0218c9e75172c2d8 ipa-4-4: https://fedorahosted.org/freeipa/changeset/2be232f67074ef052debb91962dbc8acd09d45bd
Verified using IPA version:: ipa-server-4.4.0-10.el7.x86_64 Verification Steps :: 1. Install IPA Server on RHEL 7.2 2. Install IPA Client on RHEL 7.3 3. Try IPA 4.4 version command [root@beast ~]# ipa ca-add ipa: ERROR: unknown command 'ca-add' [root@beast ~]# ipa topologysegment-show ipa: ERROR: unknown command 'topologysegment-show' [root@beast ~]# ipa topologysuffix-show ipa: ERROR: unknown command 'topologysuffix-show' [root@beast ~]# echo Secret123 |kinit 123 kinit: Client '123@TESTRELM.TEST' not found in Kerberos database while getting initial credentials [root@beast ~]# echo Secret123 |kinit admin Password for admin@TESTRELM.TEST: [root@beast ~]# ipa ping ------------------------------------------- IPA server version 4.2.0. API version 2.156 ------------------------------------------- [root@beast ~]# rpm -q ipa-server ipa-server-4.4.0-10.el7.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html