On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote: > On 10-03-14 17:03, Lukas Slebodnik wrote: > >On (10/03/14 16:58), Lukas Slebodnik wrote: > >>On (10/03/14 16:35), Jitse Klomp wrote: > >>>On 10-03-14 16:10, Lukas Slebodnik wrote: > >>>>On (10/03/14 15:19), Jitse Klomp wrote: > >>>>>On 10-03-14 14:59, Jitse Klomp wrote: > >>>>>>On 10-03-14 14:35, Lukas Slebodnik wrote: > >>>>>>>On (10/03/14 13:55), Jitse Klomp wrote: > >>>>>>>>Hello all, > >>>>>>>> > >>>>>>>> > >>>>>>>>I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using > >>>>>>>>migrate-ds I used some custom scripts to import all of our users > >>>>>>>>(~250) > >>>>>>>>and groups (~85) with IPA commands (ipa user-add etc.). To move > >>>>>>>>passwords I configured the ipa-server to run in migration mode and did > >>>>>>>>an ldapmodify like this: > >>>>>>>> > >>>>>>>> dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl > >>>>>>>> changetype: modify > >>>>>>>> replace: userPassword > >>>>>>>> userPassword: {SHA}hash > >>>>>>>> > >>>>>>>>Logging in to a machine running CentOS and ipa-client for the first > >>>>>>>>time > >>>>>>>>works like a charm, a krbPrincipalKey is generated and Kerberos 'just' > >>>>>>>>works. However, logging in to Fedora 20 for the first time throws a > >>>>>>>>'permission denied'. Logging in to Fedora works after logging in to > >>>>>>>>CentOS or the IPA migration web ui. > >>>>>>>> > >>>>>>>> > >>>>>>>>sssd_domain.nl.log, loglevel 6 > >>>>>>>>Fedora log: http://pastebin.centos.org/8281/ > >>>>>>>>CentOS log: http://pastebin.centos.org/8286/ > >>>>>>>> > >>>>>>>> > >>>>>>>>Additional details: > >>>>>>>>IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 > >>>>>>>>Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 > >>>>>>>>Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 > >>>>>>>(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback] > >>>>>>> (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' > >>>>>>>(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler] > >>>>>>> (0x0400): All data has been sent! > >>>>>>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler] > >>>>>>> (0x0400): EOF received, client finished > >>>>>>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>>>>>>[be_pam_handler_callback] > >>>>>>> (0x0100): Backend returned: (0, 4, <NULL>) [Success] > >>>>>>> ^^^ > >>>>>>> It means PAM_SYSTEM_ERR /* System > >>>>>>>error */ > >>>>>>> > >>>>>>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>>>>>>[be_pam_handler_callback] > >>>>>>> (0x0100): Sending result [4][domain.nl] > >>>>>>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>>>>>>[be_pam_handler_callback] > >>>>>>> (0x0100): Sent result [4][domain.nl] > >>>>>>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler] > >>>>>>> (0x0100): child [19510] finished successfully. > >>>>>>> > >>>>>>>> > >>>>>>>>Both CentOS and Fedora are fully up-to-date using only the base > >>>>>>>>repos. Config of the clients is done with ipa-client-install. > >>>>>>>> > >>>>>>> > >>>>>>>Could you attach log files with debug_level 9? > >>>>>>> > >>>>>>>LS > >>>>>>> > >>>>>> > >>>>>>Sure. Just sssd_domain or do you need more? > >>>>>> > >>>>Are you using two different ipa servers? > >>>>ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl > >>>> > >>>>>>sssd_domain.nl.log, loglevel 9 > >>>>>>Fedora: http://pastebin.centos.org/8291/ > >>>>Constructed uri 'ldap://vm-ipa.domain.nl' > >>>> > >>>>>>CentOS: http://pastebin.centos.org/8296/ > >>>>Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl' > >>>> > >>>>>> > >>>>>> - Jitse > >>>>>> > >>>>> > >>>>>The problem is also present in RHEL7b with > >>>>>ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64 > >>>>> > >>>>>sssd_domain.nl.log, loglevel 9 > >>>>>RHEL7b: http://pastebin.centos.org/8301/ > >>>>Constructed uri 'ldap://vm-ipa.domain.nl' > >>>> > >>>>Could you also provide krb5_child.log and ldap_child.log from fedora > >>>>machine? > >>>> (debug_level 9) > >>>> > >>>>LS > >>>> > >>> > >>>No, I'm using only one ipa server (vm-ipa). I accidentally > >>>copy-pasted without changing the domain name ;) > >>> > >>>>Any chance you could use the migrate-ds script to migrate users? I'm > >>>>not 100% sure if your own upgrade method does the same thing.. > >>>I don't think so, our old LDAP schema is a mess... > >>> > >>>krb5_child.log: http://pastebin.centos.org/8306/ > >> > >>[sss_child_krb5_trace_cb] (0x4000): [24671] > >> 1394465217.407384: Getting initial credentials for ji...@domain.nl > >>[sss_child_krb5_trace_cb] (0x4000): [24671] > >> 1394465217.407699: Sending request (173 bytes) to DOMAIN.NL > >>[sss_child_krb5_trace_cb] (0x4000): [24671] > >> 1394465217.408202: Sending initial UDP request to dgram 10.14.3.15:88 > >>[sss_child_krb5_trace_cb] (0x4000): [24671] > >> 1394465217.425034: Received answer from dgram 10.14.3.15:88 > >>[sss_child_krb5_trace_cb] (0x4000): [24671] > >> 1394465217.425171: Response was from master KDC > >>[sss_child_krb5_trace_cb] (0x4000): [24671] > >> 1394465217.425241: Received error from KDC: -1765328361/Password has > >> expired > >>[get_and_save_tgt] (0x0020): 918: [-1765328361][Password has expired] > >>[tgt_req_child] (0x1000): Password was expired > >> > >>It looks like password is expired for user jitse. > >> > >My hands were faster than my mind. > > > >I wanted to wrote: > >It looks like password is expired for user jitse. > >It is really weird because it works on Centos. > >Do you have a synchronized time on all machines with ipa server? > > > >LS > > Yes, time is in sync across all machines. I think the most > interesting lines in the log are these: > > (Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]] > [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.441823: > Processing preauth types: 136, 19, 2, 133 > > (Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]] > [map_krb5_error] (0x0020): 979: [-1765328234][Program lacks support > for encryption type] > > (Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]] > [pack_response_packet] (0x2000): response packet size: [4] > > (Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]] > [k5c_send_data] (0x4000): Response sent. > > (Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]] [main] > (0x0400): krb5_child completed successfully > > This is where krb5_child on fedora just stops working while > krb5_child on CentOS does this: http://pastebin.centos.org/8316/ >
Can you send the krb5_child.log file with the success from CentOS as well? Looks like we might handle some error codes differently after introducing the sssd_errors code. bye, Sumit > > - Jitse > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users