Thanks! I will take a look at that.

Andy

On 1/9/17 8:37 AM, Youenn PIOLET wrote:
> Hey there,
> 
> I got the same issue after upgrading my servers to 4.4.0
> The problem comes from duplicate entries in :
> cn=permissions,cn=pbac,dc=example,dc=com
> 
> I think FreeIPA upgrade fails to create ACL on pbac specific entries,
> resulting in a conflict entry creation.
> 
> The problem is that SSSD on Ubuntu 14.04 is crashing when reading pbac
> where cn contains symbol "+".
> You should check if you got these conflict entries in
> cn=permissions,cn=pbac,dc=example,dc=com and remove them. 
> 
> Ubuntu authentication was working for me directly after the suppression.
> 
> Regards,
> 
> --
> Youenn Piolet
> piole...@gmail.com <mailto:piole...@gmail.com>
> /
> /
> 
> 2017-01-09 8:56 GMT+01:00 Jakub Hrozek <jhro...@redhat.com
> <mailto:jhro...@redhat.com>>:
> 
>     On Fri, Jan 06, 2017 at 11:48:07AM -0500, Andy Brittingham wrote:
>     > Sorry for the delay, was doing some troubleshooting.
>     >
>     > Here is what I know now:
>     >
>     > The problem is on Ubuntu hosts using older sssd versions 1.11.8 (Ubuntu
>     > 14.04).
>     >
>     > SSSD versions 1.13.4 (Ubuntu 16.04) and 1.13.3 (CentOS 6.8) both work.
>     >
>     > Users in the admin group can't log into these hosts.
>     >
>     > I created a newadmins group and assigned a new user to it. When I add 
> the
>     > "User Administrator" role the new user can't log into the hosts with 
> older
>     > sssd.
>     >
>     > As soon as I delete the "User Administrator" role, new user has access
>     > again.
> 
>     So is it a role membership or a group membership that makes the
>     difference?
> 
>     >
>     > I've pasted the last bit of logs from a sssd_domain log below. I'd be 
> happy
>     > to forward the entire log, or additional logs if they will be helpful.
> 
>     The log only captures a user lookup, not a login, sorry..
> 
>     (This might be expected if you log in e.g. with an SSH key, in which
>     case journald should be the first thing to look at at least to poinpoint
>     which piece denied access..)
> 
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>
>     Go to http://freeipa.org for more info on the project
> 
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to