Jakub Hrozek wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/09/2010 07:26 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
Jakub Hrozek wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
(resending to the list, I accidentally replied to Rob only before..)
On 11/02/2010 04:24 AM, Rob Crittenden wrote:
Jakub Hrozek wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
https://fedorahosted.org/freeipa/ticket/154
The second patch removes the /ipatest section that has been commented
out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore
:-)
Migration doesn't seem to be working. The migration page itself
comes up
fine and prompts for data but when I enter the password of a migrated
user I don't seem to be getting valid kerberos keys. kinit doesn't work
in any case. It could also be that I'm tired. Does a migrated account
work for you?
It does for me -- or at least I think it's working. This is how I
tested:
1) migrate users from LDAP using the migrate-ds plugin.
2) try kinit - preauth will fail
3) go to the migration page, enter username/password This redirects me
to the ui page if the credentials are correct.
4) kinit for the user works now
This is on the current master + the two patches under review, on a F13
host migrating from 389 DS on another F13 machine.
I still can't get this to work on my F12 machine. The LDAP password is
ok, I confirmed that with ldapsearch.
My process is as yours. I get redirected to the UI page which fails
because I haven't done a kinit yet. I go do the kinit and that fails.
The KDC is logging:
Nov 08 15:48:48 panther.example.com krb5kdc[23964](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.166.34: NEEDED_PREAUTH:
tus...@example.com for krbtgt/example....@example.com, Additional
pre-authentication required
Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): preauth
(timestamp) verify failure: Decrypt integrity check failed
Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.166.34: PREAUTH_FAILED:
tus...@example.com for krbtgt/example....@example.com, Decrypt integrity
check failed
I think the timestamp part is bogus, I think this just means the
password is bad.
I noticed that krbPrincipalKey is getting migrated as well. If I delete
this before trying the migration the password works.
I find it unlikely that this is related to your mod_wsgi conversion so
I'm going to open a separate ticket on that and ack your changes.
ACK
rob
pushed to master
Thanks! Do you think it makes sense to also review and potentially push
the second patch in the original thread?
(jhrozek-freeipa-0003-Remove-some-more-mod_python-references.patch)
Sorry, I knew it was there, missed it when I was pushing.
ack and pushed to master
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
