On 01/11/2017 01:49 PM, Andy Brittingham wrote: > Thanks! I will take a look at that. > > Andy
Hello Andy and Youenn, to identify the root cause and potentially prevent it in a future: Do you know which exact permissions had the replication conflict? And more importantly how did you upgrade the servers? Was it one at a time with some delay between upgrades (so that replication can happen). Or two or more servers more or less at the same time? > > On 1/9/17 8:37 AM, Youenn PIOLET wrote: >> Hey there, >> >> I got the same issue after upgrading my servers to 4.4.0 >> The problem comes from duplicate entries in : >> cn=permissions,cn=pbac,dc=example,dc=com >> >> I think FreeIPA upgrade fails to create ACL on pbac specific entries, >> resulting in a conflict entry creation. >> >> The problem is that SSSD on Ubuntu 14.04 is crashing when reading pbac >> where cn contains symbol "+". >> You should check if you got these conflict entries in >> cn=permissions,cn=pbac,dc=example,dc=com and remove them. >> >> Ubuntu authentication was working for me directly after the suppression. >> >> Regards, >> >> -- >> Youenn Piolet >> [email protected] <mailto:[email protected]> >> / >> / >> >> 2017-01-09 8:56 GMT+01:00 Jakub Hrozek <[email protected] >> <mailto:[email protected]>>: >> >> On Fri, Jan 06, 2017 at 11:48:07AM -0500, Andy Brittingham wrote: >> > Sorry for the delay, was doing some troubleshooting. >> > >> > Here is what I know now: >> > >> > The problem is on Ubuntu hosts using older sssd versions 1.11.8 (Ubuntu >> > 14.04). >> > >> > SSSD versions 1.13.4 (Ubuntu 16.04) and 1.13.3 (CentOS 6.8) both work. >> > >> > Users in the admin group can't log into these hosts. >> > >> > I created a newadmins group and assigned a new user to it. When I add >> the >> > "User Administrator" role the new user can't log into the hosts with >> older >> > sssd. >> > >> > As soon as I delete the "User Administrator" role, new user has access >> > again. >> >> So is it a role membership or a group membership that makes the >> difference? >> >> > >> > I've pasted the last bit of logs from a sssd_domain log below. I'd be >> happy >> > to forward the entire log, or additional logs if they will be helpful. >> >> The log only captures a user lookup, not a login, sorry.. >> >> (This might be expected if you log in e.g. with an SSH key, in which >> case journald should be the first thing to look at at least to poinpoint >> which piece denied access..) >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> <https://www.redhat.com/mailman/listinfo/freeipa-users> >> Go to http://freeipa.org for more info on the project >> >> >> >> > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
