Finn Fysj via FreeIPA-users wrote: >> Finn Fysj via FreeIPA-users wrote: >> >> What's the use-case for this? >> >> I think this is likely because migration currently doesn't support >> user-private groups and a default IPA user doesn't have a memberof their >> private groups. >> >> migrate-ds was designed to migrate users who used only LDAP to use IPA. >> IPA to IPA migration is possible for users and groups but its full of >> pitfalls. This may be another one. >> >> rob > Understood. > > When I try to delete the User Groups itself and try a new migration, the user > will be member of these groups again... > > > I'm experiencing a lot of inconsistency with my server + replica setup: > - I'm not able to ssh into my IPA servers, even tho I have created an > allow_all HBAC. I don't find anything relevant in the logs after settings > debug_level = 9, other than: [ipa_pam_access_handler_done] (0x0020): > [RID#16] Unable to fetch HBAC rules [22]: Invalid argument. > - In the log file I get the service: sshd, but shouldn't the log file also > include testing of HBAC rules? Now it suddenly doens't do this.
If SSSD doesn't have the rules it can't grant access. > - Whenever I create a HBAC rule on my server, it takes a long time for it > to be synced to the replica, however, if something is created on the replica > server this is synced immediately. You might try enabling replication debugging on your misbehaving server. It could tell you what is wrong. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
