I have now managed to upgrade the replica as well.
I stumbled over a few additional problems:
1) whenever a user becomes member of a group with +nsuniqueid= in its
name, the user can no longer login. The reason is that ldb_dn_validate
doesn't like the + character, thus returns false, which causes
get_ipa_groupname to return EINVAL, which causes the loop in
hbac_eval_user_element to abort and return an error.
This seems to be quite draconian. Does it have to be like this? If so it
would be nice if a clearer error message would be left somewhere more
obvious than sssd -d 0xffff...
2) I cannot change ssh keys, neither in the web gui nor on the cli.
# ipa -vv user-mod myuserid --sshpubkey= --all
ipa: INFO: trying https://xxxxxserver.xxxxx.com/ipa/json
ipa: INFO: Request: {
"id": 0,
"method": "ping",
"params": [
[],
{}
]
}
ipa: INFO: Response: {
"error": null,
"id": 0,
"principal": "ad...@xxxxx.com",
"result": {
"messages": [
{
"code": 13001,
"message": "API Version number was not sent, forward
compatibility not guaranteed. Assuming server's API version, 2.114",
"name": "VersionMissing",
"type": "warning"
}
],
"summary": "IPA server version 4.1.4. API version 2.114"
},
"version": "4.1.4"
}
ipa: INFO: Forwarding 'user_mod' to json server
'https://xxxxxserver.xxxxx.com/ipa/json'
ipa: INFO: Request: {
"id": 0,
"method": "user_mod",
"params": [
[
"t.sailer"
],
{
"all": true,
"ipasshpubkey": null,
"no_members": false,
"random": false,
"raw": false,
"rights": false,
"version": "2.114"
}
]
}
ipa: INFO: Response: {
"error": {
"code": 4203,
"message": "Type or value exists: ",
"name": "DatabaseError"
},
"id": 0,
"principal": "ad...@xxxxx.com",
"result": null,
"version": "4.1.4"
}
ipa: ERROR: Type or value exists:
I cannot find any more information in /var/log/httpd/error_log. But I
can change the SSH keys directly talking to slapd...
3) Is
[global]
debug=True
in /etc/ipa/ipa.conf supposed to change /var/log/httpd/error_log output?
I cannot see any change...
Thomas
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project