Thanks! I will take a look at that. Andy
On 1/9/17 8:37 AM, Youenn PIOLET wrote: > Hey there, > > I got the same issue after upgrading my servers to 4.4.0 > The problem comes from duplicate entries in : > cn=permissions,cn=pbac,dc=example,dc=com > > I think FreeIPA upgrade fails to create ACL on pbac specific entries, > resulting in a conflict entry creation. > > The problem is that SSSD on Ubuntu 14.04 is crashing when reading pbac > where cn contains symbol "+". > You should check if you got these conflict entries in > cn=permissions,cn=pbac,dc=example,dc=com and remove them. > > Ubuntu authentication was working for me directly after the suppression. > > Regards, > > -- > Youenn Piolet > [email protected] <mailto:[email protected]> > / > / > > 2017-01-09 8:56 GMT+01:00 Jakub Hrozek <[email protected] > <mailto:[email protected]>>: > > On Fri, Jan 06, 2017 at 11:48:07AM -0500, Andy Brittingham wrote: > > Sorry for the delay, was doing some troubleshooting. > > > > Here is what I know now: > > > > The problem is on Ubuntu hosts using older sssd versions 1.11.8 (Ubuntu > > 14.04). > > > > SSSD versions 1.13.4 (Ubuntu 16.04) and 1.13.3 (CentOS 6.8) both work. > > > > Users in the admin group can't log into these hosts. > > > > I created a newadmins group and assigned a new user to it. When I add > the > > "User Administrator" role the new user can't log into the hosts with > older > > sssd. > > > > As soon as I delete the "User Administrator" role, new user has access > > again. > > So is it a role membership or a group membership that makes the > difference? > > > > > I've pasted the last bit of logs from a sssd_domain log below. I'd be > happy > > to forward the entire log, or additional logs if they will be helpful. > > The log only captures a user lookup, not a login, sorry.. > > (This might be expected if you log in e.g. with an SSH key, in which > case journald should be the first thing to look at at least to poinpoint > which piece denied access..) > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users> > Go to http://freeipa.org for more info on the project > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
