Re: [Freeipa-devel] [PATCH] 947 fix synxtax in 30-s4u2proxy.update
On Wed, 2012-02-15 at 11:23 +0100, Martin Kosek wrote: > On Tue, 2012-02-14 at 15:51 -0500, Rob Crittenden wrote: > > Martin Kosek wrote: > > > On Mon, 2012-02-13 at 11:43 -0500, Rob Crittenden wrote: > > >> Remove quotes around a value in 30-s4u2proxy.update. The update was > > >> failing to apply. > > >> > > >> I also noticed that FQDN wasn't being set properly in all cases in > > >> sub_dict. This should fix it. > > >> > > >> rob > > > > > > This patch did not apply for me. I guess it depends on some other patch > > > that fixes wrong DN in s4u2proxy ipaAllowedTargets: > > > > > > -default: ipaAllowedTarget: > > > 'cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX' > > > +default: ipaAllowedTarget: > > > cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX > > > > > > Current update file says: > > > > > > default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX' > > > > > > which is a non-existent DN. > > > > > > Martin > > > > > > > It relies on patch 941 > > Yeah, that's the one. > > I am now testing all the upgrade patches, but I s4u2proxy does not work > for me yet on upgraded server instance (tested on F16). krb5kdc keeps > reporting decrypt errors: > > /var/log/krb5kdc.log: > Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info): > TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0, > for , Decrypt integrity check failed > Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info): > TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0, > for , Decrypt integrity check failed > > New installs on the same machine work though. I am still trying to find > out the root cause of this. > > Martin > Ok, we found out the root cause. The problem was that Apache CCACHE from previous install was not removed. Rob's patch 949 fixes that. ACK for this patch. Pushed to master, ipa-2-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 947 fix synxtax in 30-s4u2proxy.update
Martin Kosek wrote: On Tue, 2012-02-14 at 15:51 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2012-02-13 at 11:43 -0500, Rob Crittenden wrote: Remove quotes around a value in 30-s4u2proxy.update. The update was failing to apply. I also noticed that FQDN wasn't being set properly in all cases in sub_dict. This should fix it. rob This patch did not apply for me. I guess it depends on some other patch that fixes wrong DN in s4u2proxy ipaAllowedTargets: -default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX' +default: ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX Current update file says: default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX' which is a non-existent DN. Martin It relies on patch 941 Yeah, that's the one. I am now testing all the upgrade patches, but I s4u2proxy does not work for me yet on upgraded server instance (tested on F16). krb5kdc keeps reporting decrypt errors: /var/log/krb5kdc.log: Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info): TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0, for, Decrypt integrity check failed Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info): TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0, for, Decrypt integrity check failed New installs on the same machine work though. I am still trying to find out the root cause of this. Martin Turned out a stale Apache ccache was in /tmp. I've created a new ticket and patch for that. Martin also noticed that allowedTargets wasn't being set properly on new installs. Updated patch attached. rob freeipa-rcrit-947-2-upgrade.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 947 fix synxtax in 30-s4u2proxy.update
On Tue, 2012-02-14 at 15:51 -0500, Rob Crittenden wrote: > Martin Kosek wrote: > > On Mon, 2012-02-13 at 11:43 -0500, Rob Crittenden wrote: > >> Remove quotes around a value in 30-s4u2proxy.update. The update was > >> failing to apply. > >> > >> I also noticed that FQDN wasn't being set properly in all cases in > >> sub_dict. This should fix it. > >> > >> rob > > > > This patch did not apply for me. I guess it depends on some other patch > > that fixes wrong DN in s4u2proxy ipaAllowedTargets: > > > > -default: ipaAllowedTarget: > > 'cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX' > > +default: ipaAllowedTarget: > > cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX > > > > Current update file says: > > > > default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX' > > > > which is a non-existent DN. > > > > Martin > > > > It relies on patch 941 Yeah, that's the one. I am now testing all the upgrade patches, but I s4u2proxy does not work for me yet on upgraded server instance (tested on F16). krb5kdc keeps reporting decrypt errors: /var/log/krb5kdc.log: Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info): TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0, for , Decrypt integrity check failed Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info): TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0, for , Decrypt integrity check failed New installs on the same machine work though. I am still trying to find out the root cause of this. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 947 fix synxtax in 30-s4u2proxy.update
Martin Kosek wrote: On Mon, 2012-02-13 at 11:43 -0500, Rob Crittenden wrote: Remove quotes around a value in 30-s4u2proxy.update. The update was failing to apply. I also noticed that FQDN wasn't being set properly in all cases in sub_dict. This should fix it. rob This patch did not apply for me. I guess it depends on some other patch that fixes wrong DN in s4u2proxy ipaAllowedTargets: -default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX' +default: ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX Current update file says: default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX' which is a non-existent DN. Martin It relies on patch 941 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 947 fix synxtax in 30-s4u2proxy.update
On Mon, 2012-02-13 at 11:43 -0500, Rob Crittenden wrote: > Remove quotes around a value in 30-s4u2proxy.update. The update was > failing to apply. > > I also noticed that FQDN wasn't being set properly in all cases in > sub_dict. This should fix it. > > rob This patch did not apply for me. I guess it depends on some other patch that fixes wrong DN in s4u2proxy ipaAllowedTargets: -default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX' +default: ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX Current update file says: default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX' which is a non-existent DN. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel