- Original Message -
On Mon, Jun 04, 2012 at 03:32:36PM +0300, Alexander Bokovoy wrote:
On Mon, 04 Jun 2012, Martin Kosek wrote:
I did another round of testing and this is what I found so far:
1) freeipa.spec.in was missing python-crypto BuildRequires (you
fixed
that)
2) Unit tests need to be updated, currently there is about a dozen
test
case errors, e.g. extra ipakrbprincipalalias attribute in services
or
new ipakrbprincipal objectclass for hosts
Ok, will fix.
3) Replication did not work too well for me this time.
ipa-replica-install reported just one issue during installation
process:
2012-06-04T09:42:51Z DEBUG [24/30]: enabling S4U2Proxy
delegation
2012-06-04T09:42:51Z DEBUG args=/usr/bin/ldapmodify -h
vm-057.idm.lab.bos.redhat.com -v -f /tmp/ tmpifHccf -x -D
cn=Directory Manager -y /tmp/tmppqaAdV
2012-06-04T09:42:51Z DEBUG stdout=
2012-06-04T09:42:51Z DEBUG
stderr=ldap_initialize( ldap://vm-057.idm.lab.bos.redhat.com )
ldapmodify: wrong attributeType at line 5, entry
cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm,
dc=lab,dc=bos,dc=redhat,dc=com
2012-06-04T09:42:51Z CRITICAL Failed to load
replica-s4u2proxy.ldif:
Command '/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v
-f /tmp/tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV'
returned non-zero exit status 247
Found and fixed. The issue was in not following RFC2849 when
specifying
multiple changetype operations, you need to split their definitions
by a
single line with '-' on it.
I squashed the fix back to the original patch.
But this may be just a symptom of some bigger issue. After the
installation finished, DS did not start, it kept reporting
Kerberos
issues:
Does ps -ef|grep slapd show the ns-slapd process running?
[04/Jun/2012:05:46:00 -0400] set_krb5_creds - Could not get
initial
credentials for principal
[ldap/vm-057.idm.lab.bos.redhat@idm.lab.bos.redhat.com] in
keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see
e-text))
[04/Jun/2012:05:46:00 -0400] - slapd started. Listening on All
Interfaces port 389 for LDAP requests
[04/Jun/2012:05:46:00 -0400] - Listening on All Interfaces port
636 for
LDAPS requests
[04/Jun/2012:05:46:00 -0400] - Listening
on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests
These last three lines mean the server is up and running.
[04/Jun/2012:05:46:00 -0400] slapd_ldap_sasl_interactive_bind -
Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP
error
-2 (Local error) (SASL(-1): generic failure: GSSAPI Error:
Unspecified
GSS failure. Minor code may provide more information (Credentials
cache
file '/tmp/krb5cc_498' not found)) errno 0 (Success)
[04/Jun/2012:05:46:00 -0400] slapi_ldap_bind - Error: could not
perform
interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[04/Jun/2012:05:46:00 -0400] NSMMReplicationPlugin -
agmt=cn=meTovm-125.idm.lab.bos.redhat.com (vm-125:389):
Replication
bind with GSSAPI auth failed: LDAP error -2 (Local error)
(SASL(-1):
generic failure: GSSAPI Error: Unspecified GSS failure. Minor
code may
provide more information (Credentials cache file '/tmp/krb5cc_498'
not
found))
These error messages should only appear at startup, and should go away once all
of the ipa components (especially kdc) are up and running.
When I run ipactl restart, dirsrv started and I was able to
kinit.
Maybe it is timing issue?
4) Patch Add separate attribute to store trusted domain SID
still has
a wrong service part of the principal to be removed (s/ldap/cifs):
+dn3 = DN(u'cn=ipa-cifs-delegation-targets',
api.env.container_s4u2proxy, self.suffix)
+member_principal3 = ldap/%(fqdn)s@%(realm)s %
dict(fqdn=replica, realm=realm)
+
This leaves CIFS entry in the S4U2Proxy configuration even after
replica
uninstallation.
Fixed and squashed back to the original patch.
Btw. these are the packages I use:
389-ds-base-1.2.10.4-2.fc17.x86_64
krb5-server-1.10-5.fc17.x86_64
samba4-4.0.0-123alpha21.fc17.x86_64
Same here. For me anything newer 1.2.10.4-2 will blow 389-ds.
I tested your latest tree against w2k8r2 and was able to create an
validate the trust. So ACK to the functional part.
bye,
Sumit
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel