On Mon, 04 Jun 2012, Martin Kosek wrote:
I did another round of testing and this is what I found so far:

1) freeipa.spec.in was missing python-crypto BuildRequires (you fixed
that)

2) Unit tests need to be updated, currently there is about a dozen test
case errors, e.g. extra ipakrbprincipalalias attribute in services or
new ipakrbprincipal objectclass for hosts
Ok, will fix.

3) Replication did not work too well for me this time.
ipa-replica-install reported just one issue during installation process:

2012-06-04T09:42:51Z DEBUG   [24/30]: enabling S4U2Proxy delegation
2012-06-04T09:42:51Z DEBUG args=/usr/bin/ldapmodify -h
vm-057.idm.lab.bos.redhat.com -v -f /tmp/       tmpifHccf -x -D
cn=Directory Manager -y /tmp/tmppqaAdV
2012-06-04T09:42:51Z DEBUG stdout=
2012-06-04T09:42:51Z DEBUG
stderr=ldap_initialize( ldap://vm-057.idm.lab.bos.redhat.com )
ldapmodify: wrong attributeType at line 5, entry
"cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm,
dc=lab,dc=bos,dc=redhat,dc=com"

2012-06-04T09:42:51Z CRITICAL Failed to load replica-s4u2proxy.ldif:
Command '/usr/bin/ldapmodify -h   vm-057.idm.lab.bos.redhat.com -v
-f /tmp/tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV'
returned non-zero exit status 247
Found and fixed. The issue was in not following RFC2849 when specifying
multiple changetype operations, you need to split their definitions by a
single line with '-' on it.

I squashed the fix back to the original patch.

But this may be just a symptom of some bigger issue. After the
installation finished, DS did not start, it kept reporting Kerberos
issues:

[04/Jun/2012:05:46:00 -0400] set_krb5_creds - Could not get initial
credentials for principal
[ldap/vm-057.idm.lab.bos.redhat....@idm.lab.bos.redhat.com] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[04/Jun/2012:05:46:00 -0400] - slapd started.  Listening on All
Interfaces port 389 for LDAP requests
[04/Jun/2012:05:46:00 -0400] - Listening on All Interfaces port 636 for
LDAPS requests
[04/Jun/2012:05:46:00 -0400] - Listening
on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests
[04/Jun/2012:05:46:00 -0400] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (Credentials cache
file '/tmp/krb5cc_498' not found)) errno 0 (Success)
[04/Jun/2012:05:46:00 -0400] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[04/Jun/2012:05:46:00 -0400] NSMMReplicationPlugin -
agmt="cn=meTovm-125.idm.lab.bos.redhat.com" (vm-125:389): Replication
bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1):
generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
provide more information (Credentials cache file '/tmp/krb5cc_498' not
found))

When I run "ipactl restart", dirsrv started and I was able to kinit.
Maybe it is timing issue?


4) Patch "Add separate attribute to store trusted domain SID" still has
a wrong service part of the principal to be removed (s/ldap/cifs):

+        dn3 = DN(u'cn=ipa-cifs-delegation-targets',
api.env.container_s4u2proxy, self.suffix)
+        member_principal3 = "ldap/%(fqdn)s@%(realm)s" %
dict(fqdn=replica, realm=realm)
+

This leaves CIFS entry in the S4U2Proxy configuration even after replica
uninstallation.
Fixed and squashed back to the original patch.

Btw. these are the packages I use:
389-ds-base-1.2.10.4-2.fc17.x86_64
krb5-server-1.10-5.fc17.x86_64
samba4-4.0.0-123alpha21.fc17.x86_64
Same here. For me anything newer 1.2.10.4-2 will blow 389-ds.

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to