Re: [Freeipa-users] Fedora 16 with new RHEL 6.2 Server? (RPC failed at server Error)
Alexander Bokovoy wrote: On Mon, 19 Dec 2011, Craig T wrote: Thanks for that, I will try it again tomorrow. Just curious, but I'm getting the impression that when we do finally go live with IPA v2.x. It will take some monitoring to ensure that clients are always compatible? I imagine that when Fedora 18 comes out, my "now" current IPA Server my have issues with that ipa-client? Are Redhat planning to make this backward and forward compatible? I only ask because at this stage we don't have a SOE for our LAN. The change between 2.1.3 and 2.1.4 is a pro-active fix of potential cross-site request forgery tracked with CVE-2011-3636. Unfortunately, it required change of the communication protocol details which made old clients incompatible. You may read more details in Simo's mail on December 6th, sent to freeipa-devel@ and freeipa-users@: https://www.redhat.com/archives/freeipa-devel/2011-December/msg00107.html We have released updates to F15, F16, F17 (as 2.1.4), and various versions of RHEL5/RHEL6 (as a patch on top of 2.1.3), but on Fedora 16 side critpath was blocked due to some issues with glibc packages which created a delay in package flows for more than two weeks. There are no protocol changes planned for IPAv2 anymore. In the scope of IPAv3 there will be command set extensions but we are doing our best to maintain backward compatibility for older clients so that they would be able to use the functionality they are aware of against newer servers, after CSRF fix. I hope that our effort preventing possible remote attacks on core piece of enterprise infrastructure will be helpful when you'll go live with your installation. Also, this only affected client enrollment. An already enrolled client is be affected as long as the certmonger package is updated befored the host SSL certificate expires (and then only if the client is actually using the cert). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fedora 16 with new RHEL 6.2 Server? (RPC failed at server Error)
On Mon, 19 Dec 2011, Craig T wrote: > Thanks for that, I will try it again tomorrow. > > Just curious, but I'm getting the impression that when we do finally > go live with IPA v2.x. It will take some monitoring to ensure that > clients are always compatible? > > I imagine that when Fedora 18 comes out, my "now" current IPA Server > my have issues with that ipa-client? Are Redhat planning to make > this backward and forward compatible? I only ask because at this > stage we don't have a SOE for our LAN. The change between 2.1.3 and 2.1.4 is a pro-active fix of potential cross-site request forgery tracked with CVE-2011-3636. Unfortunately, it required change of the communication protocol details which made old clients incompatible. You may read more details in Simo's mail on December 6th, sent to freeipa-devel@ and freeipa-users@: https://www.redhat.com/archives/freeipa-devel/2011-December/msg00107.html We have released updates to F15, F16, F17 (as 2.1.4), and various versions of RHEL5/RHEL6 (as a patch on top of 2.1.3), but on Fedora 16 side critpath was blocked due to some issues with glibc packages which created a delay in package flows for more than two weeks. There are no protocol changes planned for IPAv2 anymore. In the scope of IPAv3 there will be command set extensions but we are doing our best to maintain backward compatibility for older clients so that they would be able to use the functionality they are aware of against newer servers, after CSRF fix. I hope that our effort preventing possible remote attacks on core piece of enterprise infrastructure will be helpful when you'll go live with your installation. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fedora 16 with new RHEL 6.2 Server? (RPC failed at server Error)
Thanks for that, I will try it again tomorrow. Just curious, but I'm getting the impression that when we do finally go live with IPA v2.x. It will take some monitoring to ensure that clients are always compatible? I imagine that when Fedora 18 comes out, my "now" current IPA Server my have issues with that ipa-client? Are Redhat planning to make this backward and forward compatible? I only ask because at this stage we don't have a SOE for our LAN. cya Craig On Mon, Dec 19, 2011 at 10:30:38AM +0200, Alexander Bokovoy wrote: > On Mon, 19 Dec 2011, Craig T wrote: > > > Hi, > > > > Has anyone done testing with the new RHEL6.2 and Fedora 16x64 client? > > > > Server: > > Red Hat Enterprise Linux Server release 6.2 (Santiago) > > ipa-admintools-2.1.3-9.el6.x86_64 > > ipa-client-2.1.3-9.el6.x86_64 > > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > ipa-pki-common-theme-9.0.3-7.el6.noarch > > ipa-python-2.1.3-9.el6.x86_64 > > ipa-server-2.1.3-9.el6.x86_64 > > ipa-server-selinux-2.1.3-9.el6.x86_64 > > > > Client: > > Fedora release 16 (Verne) > > freeipa-client-2.1.3-5.fc16.x86_64 > > freeipa-python-2.1.3-5.fc16.x86_64 > Please use packages for 2.1.4 version for the clients (available in > updates-testing). > > -- > / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fedora 16 with new RHEL 6.2 Server? (RPC failed at server Error)
On Mon, 19 Dec 2011, Craig T wrote: > Hi, > > Has anyone done testing with the new RHEL6.2 and Fedora 16x64 client? > > Server: > Red Hat Enterprise Linux Server release 6.2 (Santiago) > ipa-admintools-2.1.3-9.el6.x86_64 > ipa-client-2.1.3-9.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-2.1.3-9.el6.x86_64 > ipa-server-2.1.3-9.el6.x86_64 > ipa-server-selinux-2.1.3-9.el6.x86_64 > > Client: > Fedora release 16 (Verne) > freeipa-client-2.1.3-5.fc16.x86_64 > freeipa-python-2.1.3-5.fc16.x86_64 Please use packages for 2.1.4 version for the clients (available in updates-testing). -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fedora 16 with new RHEL 6.2 Server? (RPC failed at server Error)
On 12/18/2011 03:55 PM, Craig T wrote: > Hi, > > Has anyone done testing with the new RHEL6.2 and Fedora 16x64 client? > > Server: > Red Hat Enterprise Linux Server release 6.2 (Santiago) > ipa-admintools-2.1.3-9.el6.x86_64 > ipa-client-2.1.3-9.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-2.1.3-9.el6.x86_64 > ipa-server-2.1.3-9.el6.x86_64 > ipa-server-selinux-2.1.3-9.el6.x86_64 > > Client: > Fedora release 16 (Verne) > freeipa-client-2.1.3-5.fc16.x86_64 > freeipa-python-2.1.3-5.fc16.x86_64 > > Error: > -- > \r\n > \r\n > join\r\n > \r\n > \r\n > chtpc.teratext.saic.com.au\r\n > \r\n > \r\n > nsosversion\r\n > 3.1.5-2.fc16.x86_64\r\n > nshardwareplatform\r\n > x86_64\r\n > \r\n > \r\n > \r\n > > XML-RPC RESPONSE: > > \n > \n > \n > \n > \n > faultCode\n > 911\n > \n > \n > faultString\n > Missing or invalid HTTP Referer, missing\n > \n > \n > \n > \n > > RPC failed at server. Missing or invalid HTTP Referer, missing > -- > > > Regards, > > Craig > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Just did this yesterday myself and ran into no issues. I am on updates-testing though so if you try the latest version of freeipa-client it may work better for you. freeipa-client-2.1.4-2.fc16.x86_64 I believe there was a security fix, something to do with something that broke compatability, so this may be what you are running into. -Erinn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Fedora 16 with new RHEL 6.2 Server? (RPC failed at server Error)
Hi, Has anyone done testing with the new RHEL6.2 and Fedora 16x64 client? Server: Red Hat Enterprise Linux Server release 6.2 (Santiago) ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 Client: Fedora release 16 (Verne) freeipa-client-2.1.3-5.fc16.x86_64 freeipa-python-2.1.3-5.fc16.x86_64 Error: -- \r\n \r\n join\r\n \r\n \r\n chtpc.teratext.saic.com.au\r\n \r\n \r\n nsosversion\r\n 3.1.5-2.fc16.x86_64\r\n nshardwareplatform\r\n x86_64\r\n \r\n \r\n \r\n XML-RPC RESPONSE: \n \n \n \n \n faultCode\n 911\n \n \n faultString\n Missing or invalid HTTP Referer, missing\n \n \n \n \n RPC failed at server. Missing or invalid HTTP Referer, missing -- Regards, Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users