thin client does not work against servers without API schema at all:
[root@f24-master ~]# ipa -vv -e xmlrpc_uri=https://id.vda.li/ipa/xml config-show ipa: INFO: trying https://id.vda.li/ipa/json ipa: INFO: Request: { "id": 0, "method": "ping", "params": [ [], {} ] } ipa: INFO: Response: { "error": null, "id": 0, "principal": "admin@VDA.LI", "result": { "messages": [ { "code": 13001, "message": "API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.156", "name": "VersionMissing", "type": "warning" } ], "summary": "IPA server version 4.2.3. API version 2.156" }, "version": "4.2.3" } ipa: INFO: Forwarding 'config_show/1' to json server 'https://id.vda.li/ipa/json' ipa: INFO: Request: { "id": 0, "method": "config_show/1", "params": [ [], { "version": "2.210" } ] } ipa: INFO: Response: { "error": { "code": 905, "message": "unknown command 'config_show/1'", "name": "CommandError" }, "id": 0, "principal": "admin@VDA.LI", "result": null, "version": "4.2.3" } ipa: ERROR: unknown command 'config_show/1' Same happens for every other command so I cannot even test the behavior. It works against the same server as the thin client is. [root@f24-master ~]# ipa -vv config-show ipa: INFO: trying https://f24-master.ipa.ad.test/ipa/json ipa: INFO: Forwarding 'config_show/1' to json server 'https://f24-master.ipa.ad.test/ipa/json' ipa: INFO: Request: { "id": 0, "method": "config_show/1", "params": [ [], { "version": "2.210" } ] } ipa: INFO: Response: { "error": null, "id": 0, "principal": "admin@IPA.AD.TEST", "result": { "result": { "ca_renewal_master_server": "f24-master.ipa.ad.test", "ca_server_server": [ "f24-master.ipa.ad.test" ], "dn": "cn=ipaConfig,cn=etc,dc=ipa,dc=ad,dc=test", "ipa_master_server": [ "f24-master.ipa.ad.test" ], "ipacertificatesubjectbase": [ "O=IPA.AD.TEST" ], "ipaconfigstring": [ "AllowNThash" ], "ipadefaultemaildomain": [ "ipa.ad.test" ], "ipadefaultloginshell": [ "/bin/sh" ], "ipadefaultprimarygroup": [ "ipausers" ], "ipagroupsearchfields": [ "cn,description" ], "ipahomesrootdir": [ "/home" ], "ipakrbauthzdata": [ "nfs:NONE", "MS-PAC" ], "ipamaxusernamelength": [ "32" ], "ipamigrationenabled": [ "FALSE" ], "ipapwdexpadvnotify": [ "4" ], "ipasearchrecordslimit": [ "100" ], "ipasearchtimelimit": [ "2" ], "ipaselinuxusermapdefault": [ "unconfined_u:s0-s0:c0.c1023" ], "ipaselinuxusermaporder": [ "guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023" ], "ipausersearchfields": [ "uid,givenname,sn,telephonenumber,ou,title" ], "ntp_server_server": [ "f24-master.ipa.ad.test" ] }, "summary": null, "value": null }, "version": "4.4.0.201607151226GIT37bfd1f" } Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: ipa.ad.test Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=IPA.AD.TEST Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: nfs:NONE, MS-PAC IPA masters: f24-master.ipa.ad.test IPA CA servers: f24-master.ipa.ad.test IPA NTP servers: f24-master.ipa.ad.test IPA CA renewal master: f24-master.ipa.ad.test
This was result of stale cache made with untrusted (at the time) CA cert from that IPA install. Once cache was cleared in ~/.cache/ipa/servers/<server.name>, the CLI started working against older server.
Metadata Update from @abbra: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.