Re: [Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI
Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (resending to the list, I accidentally replied to Rob only before..) On 11/02/2010 04:24 AM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/154 The second patch removes the /ipatest section that has been commented out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore :-) Migration doesn't seem to be working. The migration page itself comes up fine and prompts for data but when I enter the password of a migrated user I don't seem to be getting valid kerberos keys. kinit doesn't work in any case. It could also be that I'm tired. Does a migrated account work for you? It does for me -- or at least I think it's working. This is how I tested: 1) migrate users from LDAP using the migrate-ds plugin. 2) try kinit - preauth will fail 3) go to the migration page, enter username/password This redirects me to the ui page if the credentials are correct. 4) kinit for the user works now This is on the current master + the two patches under review, on a F13 host migrating from 389 DS on another F13 machine. I still can't get this to work on my F12 machine. The LDAP password is ok, I confirmed that with ldapsearch. My process is as yours. I get redirected to the UI page which fails because I haven't done a kinit yet. I go do the kinit and that fails. The KDC is logging: Nov 08 15:48:48 panther.example.com krb5kdc[23964](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.166.34: NEEDED_PREAUTH: tus...@example.com for krbtgt/example@example.com, Additional pre-authentication required Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): preauth (timestamp) verify failure: Decrypt integrity check failed Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.166.34: PREAUTH_FAILED: tus...@example.com for krbtgt/example@example.com, Decrypt integrity check failed I think the timestamp part is bogus, I think this just means the password is bad. I noticed that krbPrincipalKey is getting migrated as well. If I delete this before trying the migration the password works. I find it unlikely that this is related to your mod_wsgi conversion so I'm going to open a separate ticket on that and ack your changes. ACK rob pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/09/2010 07:26 PM, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (resending to the list, I accidentally replied to Rob only before..) On 11/02/2010 04:24 AM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/154 The second patch removes the /ipatest section that has been commented out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore :-) Migration doesn't seem to be working. The migration page itself comes up fine and prompts for data but when I enter the password of a migrated user I don't seem to be getting valid kerberos keys. kinit doesn't work in any case. It could also be that I'm tired. Does a migrated account work for you? It does for me -- or at least I think it's working. This is how I tested: 1) migrate users from LDAP using the migrate-ds plugin. 2) try kinit - preauth will fail 3) go to the migration page, enter username/password This redirects me to the ui page if the credentials are correct. 4) kinit for the user works now This is on the current master + the two patches under review, on a F13 host migrating from 389 DS on another F13 machine. I still can't get this to work on my F12 machine. The LDAP password is ok, I confirmed that with ldapsearch. My process is as yours. I get redirected to the UI page which fails because I haven't done a kinit yet. I go do the kinit and that fails. The KDC is logging: Nov 08 15:48:48 panther.example.com krb5kdc[23964](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.166.34: NEEDED_PREAUTH: tus...@example.com for krbtgt/example@example.com, Additional pre-authentication required Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): preauth (timestamp) verify failure: Decrypt integrity check failed Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.166.34: PREAUTH_FAILED: tus...@example.com for krbtgt/example@example.com, Decrypt integrity check failed I think the timestamp part is bogus, I think this just means the password is bad. I noticed that krbPrincipalKey is getting migrated as well. If I delete this before trying the migration the password works. I find it unlikely that this is related to your mod_wsgi conversion so I'm going to open a separate ticket on that and ack your changes. ACK rob pushed to master Thanks! Do you think it makes sense to also review and potentially push the second patch in the original thread? (jhrozek-freeipa-0003-Remove-some-more-mod_python-references.patch) Jakub -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzZq6sACgkQHsardTLnvCW2MQCgypQe6l8dLOt/mVzVNJ7gNg2Q U2MAnA6KjZbUykGrOEf9MO8qWWqilVW9 =igLu -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (resending to the list, I accidentally replied to Rob only before..) On 11/02/2010 04:24 AM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/154 The second patch removes the /ipatest section that has been commented out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore :-) Migration doesn't seem to be working. The migration page itself comes up fine and prompts for data but when I enter the password of a migrated user I don't seem to be getting valid kerberos keys. kinit doesn't work in any case. It could also be that I'm tired. Does a migrated account work for you? It does for me -- or at least I think it's working. This is how I tested: 1) migrate users from LDAP using the migrate-ds plugin. 2) try kinit - preauth will fail 3) go to the migration page, enter username/password This redirects me to the ui page if the credentials are correct. 4) kinit for the user works now This is on the current master + the two patches under review, on a F13 host migrating from 389 DS on another F13 machine. I still can't get this to work on my F12 machine. The LDAP password is ok, I confirmed that with ldapsearch. My process is as yours. I get redirected to the UI page which fails because I haven't done a kinit yet. I go do the kinit and that fails. The KDC is logging: Nov 08 15:48:48 panther.example.com krb5kdc[23964](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.166.34: NEEDED_PREAUTH: tus...@example.com for krbtgt/example@example.com, Additional pre-authentication required Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): preauth (timestamp) verify failure: Decrypt integrity check failed Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.166.34: PREAUTH_FAILED: tus...@example.com for krbtgt/example@example.com, Decrypt integrity check failed I think the timestamp part is bogus, I think this just means the password is bad. I noticed that krbPrincipalKey is getting migrated as well. If I delete this before trying the migration the password works. I find it unlikely that this is related to your mod_wsgi conversion so I'm going to open a separate ticket on that and ack your changes. ACK rob This could be related to redoing the 389-ds password plugin as I did all previous testing before we did the file split. I also have two questions: 1) how should exceptions be handled? In the patch, I only explicitly handle exceptions that could happen very easily (like, password being wrong, or the LDAP server down..). Anything else would just trigger 500 Server Error.. I think that's ok as long as we provide enough logging to point the admin in the right direction. 2) When playing with the migration command line plugin, I noticed that it can only handle RFC2307bis groups (member: dn) and has the objectclass for groups hardcoded to (|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)). I think it would be worthwile (and easy, too!) to modify the plugin to accept also RFC2307 schema and allow specifying a different objectclass (posixGroup might come handy..). Thoughts? Yes, that sounds like a good enhancement. Great idea. OK: https://fedorahosted.org/freeipa/ticket/429 (taken, since I was already poking at the plugin anyway) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (resending to the list, I accidentally replied to Rob only before..) On 11/02/2010 04:24 AM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/154 The second patch removes the /ipatest section that has been commented out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore :-) Migration doesn't seem to be working. The migration page itself comes up fine and prompts for data but when I enter the password of a migrated user I don't seem to be getting valid kerberos keys. kinit doesn't work in any case. It could also be that I'm tired. Does a migrated account work for you? It does for me -- or at least I think it's working. This is how I tested: 1) migrate users from LDAP using the migrate-ds plugin. 2) try kinit - preauth will fail 3) go to the migration page, enter username/password This redirects me to the ui page if the credentials are correct. 4) kinit for the user works now This is on the current master + the two patches under review, on a F13 host migrating from 389 DS on another F13 machine. This could be related to redoing the 389-ds password plugin as I did all previous testing before we did the file split. I also have two questions: 1) how should exceptions be handled? In the patch, I only explicitly handle exceptions that could happen very easily (like, password being wrong, or the LDAP server down..). Anything else would just trigger 500 Server Error.. I think that's ok as long as we provide enough logging to point the admin in the right direction. 2) When playing with the migration command line plugin, I noticed that it can only handle RFC2307bis groups (member: dn) and has the objectclass for groups hardcoded to (|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)). I think it would be worthwile (and easy, too!) to modify the plugin to accept also RFC2307 schema and allow specifying a different objectclass (posixGroup might come handy..). Thoughts? Yes, that sounds like a good enhancement. Great idea. OK: https://fedorahosted.org/freeipa/ticket/429 (taken, since I was already poking at the plugin anyway) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzQJwgACgkQHsardTLnvCXu+ACgvMTxMPP8YpmwwzvCiMKpPp35 RQgAnA0CTuBxDI0hZzfZDDu50wunYRqP =++oI -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/154 The second patch removes the /ipatest section that has been commented out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore :-) Migration doesn't seem to be working. The migration page itself comes up fine and prompts for data but when I enter the password of a migrated user I don't seem to be getting valid kerberos keys. kinit doesn't work in any case. It could also be that I'm tired. Does a migrated account work for you? This could be related to redoing the 389-ds password plugin as I did all previous testing before we did the file split. I also have two questions: 1) how should exceptions be handled? In the patch, I only explicitly handle exceptions that could happen very easily (like, password being wrong, or the LDAP server down..). Anything else would just trigger 500 Server Error.. I think that's ok as long as we provide enough logging to point the admin in the right direction. 2) When playing with the migration command line plugin, I noticed that it can only handle RFC2307bis groups (member: dn) and has the objectclass for groups hardcoded to (|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)). I think it would be worthwile (and easy, too!) to modify the plugin to accept also RFC2307 schema and allow specifying a different objectclass (posixGroup might come handy..). Thoughts? Yes, that sounds like a good enhancement. Great idea. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel