On Mon, Mar 10, 2014 at 09:10:01PM +0100, Jitse Klomp wrote: > On 10-03-14 20:34, Sumit Bose wrote: > >On Mon, Mar 10, 2014 at 07:56:07PM +0100, Jitse Klomp wrote: > >>On 10-03-14 18:57, Sumit Bose wrote: > >>>On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote: > >>>>On 10-03-14 17:03, Lukas Slebodnik wrote: > >>>>>On (10/03/14 16:58), Lukas Slebodnik wrote: > >>>>>>On (10/03/14 16:35), Jitse Klomp wrote: > >>>>>>>On 10-03-14 16:10, Lukas Slebodnik wrote: > >>>>>>>>On (10/03/14 15:19), Jitse Klomp wrote: > >>>>>>>>>On 10-03-14 14:59, Jitse Klomp wrote: > >>>>>>>>>>On 10-03-14 14:35, Lukas Slebodnik wrote: > >>>>>>>>>>>On (10/03/14 13:55), Jitse Klomp wrote: > >>>>>>>>>>>>Hello all, > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of > >>>>>>>>>>>>using > >>>>>>>>>>>>migrate-ds I used some custom scripts to import all of our users > >>>>>>>>>>>>(~250) > >>>>>>>>>>>>and groups (~85) with IPA commands (ipa user-add etc.). To move > >>>>>>>>>>>>passwords I configured the ipa-server to run in migration mode > >>>>>>>>>>>>and did > >>>>>>>>>>>>an ldapmodify like this: > >>>>>>>>>>>> > >>>>>>>>>>>> dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl > >>>>>>>>>>>> changetype: modify > >>>>>>>>>>>> replace: userPassword > >>>>>>>>>>>> userPassword: {SHA}hash > >>>>>>>>>>>> > >>>>>>>>>>>>Logging in to a machine running CentOS and ipa-client for the > >>>>>>>>>>>>first time > >>>>>>>>>>>>works like a charm, a krbPrincipalKey is generated and Kerberos > >>>>>>>>>>>>'just' > >>>>>>>>>>>>works. However, logging in to Fedora 20 for the first time throws > >>>>>>>>>>>>a > >>>>>>>>>>>>'permission denied'. Logging in to Fedora works after logging in > >>>>>>>>>>>>to > >>>>>>>>>>>>CentOS or the IPA migration web ui. > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>sssd_domain.nl.log, loglevel 6 > >>>>>>>>>>>>Fedora log: http://pastebin.centos.org/8281/ > >>>>>>>>>>>>CentOS log: http://pastebin.centos.org/8286/ > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>Additional details: > >>>>>>>>>>>>IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 > >>>>>>>>>>>>Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 > >>>>>>>>>>>>Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 > >>>>>>>>>>>(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] > >>>>>>>>>>>[ipa_resolve_callback] > >>>>>>>>>>> (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' > >>>>>>>>>>>(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] > >>>>>>>>>>>[write_pipe_handler] > >>>>>>>>>>> (0x0400): All data has been sent! > >>>>>>>>>>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>>>>>>>>>>[read_pipe_handler] > >>>>>>>>>>> (0x0400): EOF received, client finished > >>>>>>>>>>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>>>>>>>>>>[be_pam_handler_callback] > >>>>>>>>>>> (0x0100): Backend returned: (0, 4, <NULL>) [Success] > >>>>>>>>>>> ^^^ > >>>>>>>>>>> It means PAM_SYSTEM_ERR /* > >>>>>>>>>>> System > >>>>>>>>>>>error */ > >>>>>>>>>>> > >>>>>>>>>>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>>>>>>>>>>[be_pam_handler_callback] > >>>>>>>>>>> (0x0100): Sending result [4][domain.nl] > >>>>>>>>>>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>>>>>>>>>>[be_pam_handler_callback] > >>>>>>>>>>> (0x0100): Sent result [4][domain.nl] > >>>>>>>>>>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>>>>>>>>>>[child_sig_handler] > >>>>>>>>>>> (0x0100): child [19510] finished successfully. > >>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>Both CentOS and Fedora are fully up-to-date using only the base > >>>>>>>>>>>>repos. Config of the clients is done with ipa-client-install. > >>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>>Could you attach log files with debug_level 9? > >>>>>>>>>>> > >>>>>>>>>>>LS > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>Sure. Just sssd_domain or do you need more? > >>>>>>>>>> > >>>>>>>>Are you using two different ipa servers? > >>>>>>>>ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl > >>>>>>>> > >>>>>>>>>>sssd_domain.nl.log, loglevel 9 > >>>>>>>>>>Fedora: http://pastebin.centos.org/8291/ > >>>>>>>>Constructed uri 'ldap://vm-ipa.domain.nl' > >>>>>>>> > >>>>>>>>>>CentOS: http://pastebin.centos.org/8296/ > >>>>>>>>Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl' > >>>>>>>> > >>>>>>>>>> > >>>>>>>>>> - Jitse > >>>>>>>>>> > >>>>>>>>> > >>>>>>>>>The problem is also present in RHEL7b with > >>>>>>>>>ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64 > >>>>>>>>> > >>>>>>>>>sssd_domain.nl.log, loglevel 9 > >>>>>>>>>RHEL7b: http://pastebin.centos.org/8301/ > >>>>>>>>Constructed uri 'ldap://vm-ipa.domain.nl' > >>>>>>>> > >>>>>>>>Could you also provide krb5_child.log and ldap_child.log from fedora > >>>>>>>>machine? > >>>>>>>> (debug_level 9) > >>>>>>>> > >>>>>>>>LS > >>>>>>>> > >>>>>>> > >>>>>>>No, I'm using only one ipa server (vm-ipa). I accidentally > >>>>>>>copy-pasted without changing the domain name ;) > >>>>>>> > >>>>>>>>Any chance you could use the migrate-ds script to migrate users? I'm > >>>>>>>>not 100% sure if your own upgrade method does the same thing.. > >>>>>>>I don't think so, our old LDAP schema is a mess... > >>>>>>> > >>>>>>>krb5_child.log: http://pastebin.centos.org/8306/ > >>>>>> > >>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671] > >>>>>> 1394465217.407384: Getting initial credentials for ji...@domain.nl > >>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671] > >>>>>> 1394465217.407699: Sending request (173 bytes) to DOMAIN.NL > >>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671] > >>>>>> 1394465217.408202: Sending initial UDP request to dgram > >>>>>> 10.14.3.15:88 > >>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671] > >>>>>> 1394465217.425034: Received answer from dgram 10.14.3.15:88 > >>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671] > >>>>>> 1394465217.425171: Response was from master KDC > >>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671] > >>>>>> 1394465217.425241: Received error from KDC: -1765328361/Password > >>>>>> has expired > >>>>>>[get_and_save_tgt] (0x0020): 918: [-1765328361][Password has expired] > >>>>>>[tgt_req_child] (0x1000): Password was expired > >>>>>> > >>>>>>It looks like password is expired for user jitse. > >>>>>> > >>>>>My hands were faster than my mind. > >>>>> > >>>>>I wanted to wrote: > >>>>>It looks like password is expired for user jitse. > >>>>>It is really weird because it works on Centos. > >>>>>Do you have a synchronized time on all machines with ipa server? > >>>>> > >>>>>LS > >>>> > >>>>Yes, time is in sync across all machines. I think the most > >>>>interesting lines in the log are these: > >>>> > >>>>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]] > >>>>[sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.441823: > >>>>Processing preauth types: 136, 19, 2, 133 > >>>> > >>>>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]] > >>>>[map_krb5_error] (0x0020): 979: [-1765328234][Program lacks support > >>>>for encryption type] > >>>> > >>>>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]] > >>>>[pack_response_packet] (0x2000): response packet size: [4] > >>>> > >>>>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]] > >>>>[k5c_send_data] (0x4000): Response sent. > >>>> > >>>>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]] [main] > >>>>(0x0400): krb5_child completed successfully > >>>> > >>>>This is where krb5_child on fedora just stops working while > >>>>krb5_child on CentOS does this: http://pastebin.centos.org/8316/ > >>>> > >>> > >>>Can you send the krb5_child.log file with the success from CentOS as > >>>well? Looks like we might handle some error codes differently after > >>>introducing the sssd_errors code. > >>> > >>>bye, > >>>Sumit > >>> > >>>> > >>>> - Jitse > >> > >>That last pastebin (http://pastebin.centos.org/8316/) was > >>krb5_child.log from a succesful first-time login on centos. > > > >Thanks. Can you try to set 'allow_weak_crypto = true' in the libdefaults > >section of krb5.conf on F20 or RHEL7? > > > >bye, > >Sumit > > > >> > >>>I'd be curious what the krbPasswordExpiration is for this user. > >>See http://pastebin.centos.org/8321/ for a password migration and > >>output of ldapsearch. > >> > >>Output of ldapsearch *after* logging in to CentOS for the first time: > >> krbPasswordExpiration: 20140310183603Z > >> krbLastPwdChange: 20140310183603Z > >> krbExtraData:: AAITBh5Tcm9vdC9hZG1pbkBBLUVTS1dBRFJBQVQuTkwA > >> krbLastFailedAuth: 20140310185101Z > >> krbLoginFailedCount: 1 > >> > >> - Jitse > > Yes, here you go: http://pastebin.centos.org/8331/ > > It doesn't seem to be a lot different from the old one...
Thank you. Maybe there is a change in return codes between MIT Kerberos 1.10 (Centos 6) and 1.11 (F20, RHEL7). Can you try to run KRB5_TRACE=/dev/stdout kinit unmigrated_u...@domain.nl on the different platforms and paste the results? I would expect to see [Preauthentication failed] on Centos6 and [Program lacks support for encryption type] on F10 or RHEL7. bye, Sumit > > - Jitse > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users