Hide Forgot
Description of problem: Near as I can figure (this worked when the CA was not subordinate) when running ipa-client-install with an IPA server that is a subordinate CA, install fails with the following error: Operation failed! unsupported extended operation child exited with 9 Let me know what other information I can get to you. Version-Release number of selected component (if applicable): ipa-client-2.0-9.el6.x86_64 Additional info: ipa-join -s ipa.foo.com -d XML-RPC CALL: <?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n <methodName>join</methodName>\r\n <params>\r\n <param><value><array><data>\r\n <value><string>sb.foo.com</string></value>\r\n </data></array></value></param>\r\n <param><value><struct>\r\n <member><name>nsosversion</name>\r\n <value><string>2.6.32-71.18.1.el6.x86_64</string></value></member>\r\n <member><name>nshardwareplatform</name>\r\n <value><string>x86_64</string></value></member>\r\n </struct></value></param>\r\n </params>\r\n </methodCall>\r\n XML-RPC RESPONSE: <?xml version='1.0' encoding='UTF-8'?>\n <methodResponse>\n <params>\n <param>\n <value><array><data>\n <value><string>fqdn=sb.foo.com,cn=computers,cn=accounts,dc=foo,dc=com</string></value>\n <value><struct>\n <member>\n <name>dn</name>\n <value><string>fqdn=sb.foo.com,cn=computers,cn=accounts,dc=foo,dc=com</string></value>\n </member>\n <member>\n <name>ipacertificatesubjectbase</name>\n <value><array><data>\n <value><string>O=FOO.COM</string></value>\n </data></array></value>\n </member>\n <member>\n <name>objectclass</name>\n <value><array><data>\n <value><string>ipaobject</string></value>\n <value><string>nshost</string></value>\n <value><string>ipahost</string></value>\n <value><string>pkiuser</string></value>\n <value><string>ipaservice</string></value>\n <value><string>krbprincipalaux</string></value>\n <value><string>krbprincipal</string></value>\n <value><string>top</string></value>\n </data></array></value>\n </member>\n <member>\n <name>fqdn</name>\n <value><array><data>\n <value><string>sb.foo.com</string></value>\n </data></array></value>\n </member>\n <member>\n <name>ipauniqueid</name>\n <value><array><data>\n <value><string>15b4ad20-4636-11e0-b5b2-f04da2090ae0</string></value>\n </data></array></value>\n </member>\n <member>\n <name>krbprincipalname</name>\n <value><array><data>\n <value><string>host/sb.foo.com</string></value>\n </data></array></value>\n </member>\n <member>\n <name>managedby_host</name>\n <value><array><data>\n <value><string>sb.foo.com</string></value>\n </data></array></value>\n </member>\n </struct></value>\n </data></array></value>\n </param>\n </params>\n </methodResponse>\n Operation failed! unsupported extended operation child exited with 9 Certificate subject base is: O=FOO.COM
What is the rpm version of the IPA server you are trying to join? The OID for the join extended operation changed so older clients will not work with newer servers.
freeipa-python-2.0.0.rc2-0.fc14.x86_64 freeipa-client-2.0.0.rc2-0.fc14.x86_64 freeipa-server-2.0.0.rc2-0.fc14.x86_64 freeipa-admintools-2.0.0.rc2-0.fc14.x86_64 freeipa-server-selinux-2.0.0.rc2-0.fc14.x86_64
What is interesting about this is that this same client with this same version of ipa-client-install worked with rc1 and the beta versions, so did something change in rc2 that made it incompatible? If not than it is probably the subordinate CA that is causing the issue because that is the only change I have made on my end of things, without subordinate CA worked, with failed. -Erinn
Yes, the OID for the join extended operation changed so pre rc2 clients won't work with rc2 servers. It is unrelated to any other changes you made.
Alright, sounds like this isn't really a bug then.