-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/09/2010 07:26 PM, Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Jakub Hrozek wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> (resending to the list, I accidentally replied to Rob only before..)
>>>
>>> On 11/02/2010 04:24 AM, Rob Crittenden wrote:
>>>> Jakub Hrozek wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/154
>>>>>
>>>>> The second patch removes the /ipatest section that has been commented
>>>>> out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore
>>>>> :-)
>>>>
>>>> Migration doesn't seem to be working. The migration page itself
>>>> comes up
>>>> fine and prompts for data but when I enter the password of a migrated
>>>> user I don't seem to be getting valid kerberos keys. kinit doesn't work
>>>> in any case. It could also be that I'm tired. Does a migrated account
>>>> work for you?
>>>>
>>>
>>> It does for me -- or at least I think it's working. This is how I
>>> tested:
>>> 1) migrate users from LDAP using the migrate-ds plugin.
>>> 2) try kinit - preauth will fail
>>> 3) go to the migration page, enter username/password This redirects me
>>> to the ui page if the credentials are correct.
>>> 4) kinit for the user works now
>>>
>>> This is on the current master + the two patches under review, on a F13
>>> host migrating from 389 DS on another F13 machine.
>>
>> I still can't get this to work on my F12 machine. The LDAP password is
>> ok, I confirmed that with ldapsearch.
>>
>> My process is as yours. I get redirected to the UI page which fails
>> because I haven't done a kinit yet. I go do the kinit and that fails.
>>
>> The KDC is logging:
>>
>> Nov 08 15:48:48 panther.example.com krb5kdc[23964](info): AS_REQ (7
>> etypes {18 17 16 23 1 3 2}) 192.168.166.34: NEEDED_PREAUTH:
>> tus...@example.com for krbtgt/example....@example.com, Additional
>> pre-authentication required
>> Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): preauth
>> (timestamp) verify failure: Decrypt integrity check failed
>> Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): AS_REQ (7
>> etypes {18 17 16 23 1 3 2}) 192.168.166.34: PREAUTH_FAILED:
>> tus...@example.com for krbtgt/example....@example.com, Decrypt integrity
>> check failed
>>
>> I think the timestamp part is bogus, I think this just means the
>> password is bad.
>>
>> I noticed that krbPrincipalKey is getting migrated as well. If I delete
>> this before trying the migration the password works.
>>
>> I find it unlikely that this is related to your mod_wsgi conversion so
>> I'm going to open a separate ticket on that and ack your changes.
>>
>> ACK
>>
>> rob
> 
> pushed to master

Thanks! Do you think it makes sense to also review and potentially push
the second patch in the original thread?
(jhrozek-freeipa-0003-Remove-some-more-mod_python-references.patch)

        Jakub
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzZq6sACgkQHsardTLnvCW2MQCgypQe6l8dLOt/mVzVNJ7gNg2Q
U2MAnA6KjZbUykGrOEf9MO8qWWqilVW9
=igLu
-----END PGP SIGNATURE-----

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to