Re: [Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches

Wed, 03 Jun 2015 09:38:42 -0700 

I have now managed to upgrade the replica as well.

I stumbled over a few additional problems:
1) whenever a user becomes member of a group with +nsuniqueid= in its name, the user can no longer login. The reason is that ldb_dn_validate doesn't like the + character, thus returns false, which causes get_ipa_groupname to return EINVAL, which causes the loop in hbac_eval_user_element to abort and return an error.
This seems to be quite draconian. Does it have to be like this? If so it would be nice if a clearer error message would be left somewhere more obvious than sssd -d 0xffff... 

2) I cannot change ssh keys, neither in the web gui nor on the cli.

# ipa -vv user-mod myuserid --sshpubkey= --all
ipa: INFO: trying https://xxxxxserver.xxxxx.com/ipa/json
ipa: INFO: Request: {
    "id": 0,
    "method": "ping",
    "params": [
        [],
        {}
    ]
}
ipa: INFO: Response: {
    "error": null,
    "id": 0,
    "principal": "ad...@xxxxx.com",
    "result": {
        "messages": [
            {
                "code": 13001,
"message": "API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.114", 
                "name": "VersionMissing",
                "type": "warning"
            }
        ],
        "summary": "IPA server version 4.1.4. API version 2.114"
    },
    "version": "4.1.4"
}
ipa: INFO: Forwarding 'user_mod' to json server 'https://xxxxxserver.xxxxx.com/ipa/json' 
ipa: INFO: Request: {
    "id": 0,
    "method": "user_mod",
    "params": [
        [
            "t.sailer"
        ],
        {
            "all": true,
            "ipasshpubkey": null,
            "no_members": false,
            "random": false,
            "raw": false,
            "rights": false,
            "version": "2.114"
        }
    ]
}
ipa: INFO: Response: {
    "error": {
        "code": 4203,
        "message": "Type or value exists: ",
        "name": "DatabaseError"
    },
    "id": 0,
    "principal": "ad...@xxxxx.com",
    "result": null,
    "version": "4.1.4"
}
ipa: ERROR: Type or value exists:
I cannot find any more information in /var/log/httpd/error_log. But I can change the SSH keys directly talking to slapd... 

3) Is
[global]
debug=True
in /etc/ipa/ipa.conf supposed to change /var/log/httpd/error_log output? I cannot see any change... 

Thomas

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to