On 04/08/2015 01:40 PM, Alexander Frolushkin wrote:
> -----Original Message-----
> From: Jakub Hrozek [mailto:jhro...@redhat.com]
> Sent: Wednesday, April 08, 2015 5:12 PM
> To: Alexander Frolushkin (SIB)
> Cc: 'Martin Kosek'; email@example.com; Ludwig Krispenz; Thierry Bordaz
> Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
> On Wed, Apr 08, 2015 at 11:07:25AM +0000, Alexander Frolushkin wrote:
>> -----Original Message-----
>> From: Martin Kosek [mailto:mko...@redhat.com]
>> Sent: Wednesday, April 08, 2015 4:47 PM
>> To: Alexander Frolushkin (SIB); firstname.lastname@example.org; Ludwig
>> Krispenz; Thierry Bordaz; Jakub Hrozek
>> Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
>>>> In any case, upgrade from 3.3 to 4.1 should just work, you just need to
>>>> have a recent enough RHEL-6 servers - at least RHEL-6.6+z-streams.
>>>> Please note, we currently have a three servers with IPA 4.1.0, and 13
>>>> servers with IPA 3.3.3 working simultaneously.
>>>> Also about hbac:
>>>> [hbac_eval_user_element] (0x0080): Parse error on [cn=system: read
>>> CCing Jakub, but this looks like
>> This is actually https://fedorahosted.org/sssd/ticket/2603
>> According to the RDN: "agreements+nsuniqueid=" there is a replication
>> conflict on the servers. Latest SSSD builds are able to handle those, but
>> you should fix the server anyway.
> Thank You!
> Conflict already has been resolved:
> # ldapsearch -D "uid=admin,cn=users,cn=accounts,dc=unix,dc=ad,dc=com" -W -b
> "nsds5ReplConflict=*" \* nsds5ReplConflict
> Enter LDAP Password:
> # extended LDIF
> # LDAPv3
> # base <nsds5ReplConflict=*> with scope subtree
> # filter: (objectclass=*)
> # requesting: * nsds5ReplConflict
> # search result
> search: 2
> result: 32 No such object
> # numResponses: 1
> After that, client are able to login via ssh on servers connected to 7.1
> servers, but still no login on client servers connected to 7.0 IPA servers...
Good! Does it only happen for users that have any RBAC role assigned or are
non-privileged users able to log in?
I suspect you may be hitting
fixed in RHEL-7.1 DS and IPA.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project