Re: [Freeipa-devel] [PATCH] 947 fix synxtax in 30-s4u2proxy.update
On Wed, 2012-02-15 at 11:23 +0100, Martin Kosek wrote:
> On Tue, 2012-02-14 at 15:51 -0500, Rob Crittenden wrote:
> > Martin Kosek wrote:
> > > On Mon, 2012-02-13 at 11:43 -0500, Rob Crittenden wrote:
> > >> Remove quotes around a value in 30-s4u2proxy.update. The update was
> > >> failing to apply.
> > >>
> > >> I also noticed that FQDN wasn't being set properly in all cases in
> > >> sub_dict. This should fix it.
> > >>
> > >> rob
> > >
> > > This patch did not apply for me. I guess it depends on some other patch
> > > that fixes wrong DN in s4u2proxy ipaAllowedTargets:
> > >
> > > -default: ipaAllowedTarget:
> > > 'cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX'
> > > +default: ipaAllowedTarget:
> > > cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
> > >
> > > Current update file says:
> > >
> > > default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX'
> > >
> > > which is a non-existent DN.
> > >
> > > Martin
> > >
> >
> > It relies on patch 941
>
> Yeah, that's the one.
>
> I am now testing all the upgrade patches, but I s4u2proxy does not work
> for me yet on upgraded server instance (tested on F16). krb5kdc keeps
> reporting decrypt errors:
>
> /var/log/krb5kdc.log:
> Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info):
> TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0,
> for , Decrypt integrity check failed
> Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info):
> TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0,
> for , Decrypt integrity check failed
>
> New installs on the same machine work though. I am still trying to find
> out the root cause of this.
>
> Martin
>
Ok, we found out the root cause. The problem was that Apache CCACHE from
previous install was not removed. Rob's patch 949 fixes that.
ACK for this patch. Pushed to master, ipa-2-2.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 947 fix synxtax in 30-s4u2proxy.update
Martin Kosek wrote:
On Tue, 2012-02-14 at 15:51 -0500, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2012-02-13 at 11:43 -0500, Rob Crittenden wrote:
Remove quotes around a value in 30-s4u2proxy.update. The update was
failing to apply.
I also noticed that FQDN wasn't being set properly in all cases in
sub_dict. This should fix it.
rob
This patch did not apply for me. I guess it depends on some other patch
that fixes wrong DN in s4u2proxy ipaAllowedTargets:
-default: ipaAllowedTarget:
'cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX'
+default: ipaAllowedTarget:
cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
Current update file says:
default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX'
which is a non-existent DN.
Martin
It relies on patch 941
Yeah, that's the one.
I am now testing all the upgrade patches, but I s4u2proxy does not work
for me yet on upgraded server instance (tested on F16). krb5kdc keeps
reporting decrypt errors:
/var/log/krb5kdc.log:
Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info):
TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0,
for, Decrypt integrity check failed
Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info):
TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0,
for, Decrypt integrity check failed
New installs on the same machine work though. I am still trying to find
out the root cause of this.
Martin
Turned out a stale Apache ccache was in /tmp. I've created a new ticket
and patch for that.
Martin also noticed that allowedTargets wasn't being set properly on new
installs. Updated patch attached.
rob
freeipa-rcrit-947-2-upgrade.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 947 fix synxtax in 30-s4u2proxy.update
On Tue, 2012-02-14 at 15:51 -0500, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Mon, 2012-02-13 at 11:43 -0500, Rob Crittenden wrote:
> >> Remove quotes around a value in 30-s4u2proxy.update. The update was
> >> failing to apply.
> >>
> >> I also noticed that FQDN wasn't being set properly in all cases in
> >> sub_dict. This should fix it.
> >>
> >> rob
> >
> > This patch did not apply for me. I guess it depends on some other patch
> > that fixes wrong DN in s4u2proxy ipaAllowedTargets:
> >
> > -default: ipaAllowedTarget:
> > 'cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX'
> > +default: ipaAllowedTarget:
> > cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
> >
> > Current update file says:
> >
> > default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX'
> >
> > which is a non-existent DN.
> >
> > Martin
> >
>
> It relies on patch 941
Yeah, that's the one.
I am now testing all the upgrade patches, but I s4u2proxy does not work
for me yet on upgraded server instance (tested on F16). krb5kdc keeps
reporting decrypt errors:
/var/log/krb5kdc.log:
Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info):
TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0,
for , Decrypt integrity check failed
Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info):
TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0,
for , Decrypt integrity check failed
New installs on the same machine work though. I am still trying to find
out the root cause of this.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 947 fix synxtax in 30-s4u2proxy.update
Martin Kosek wrote: On Mon, 2012-02-13 at 11:43 -0500, Rob Crittenden wrote: Remove quotes around a value in 30-s4u2proxy.update. The update was failing to apply. I also noticed that FQDN wasn't being set properly in all cases in sub_dict. This should fix it. rob This patch did not apply for me. I guess it depends on some other patch that fixes wrong DN in s4u2proxy ipaAllowedTargets: -default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX' +default: ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX Current update file says: default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX' which is a non-existent DN. Martin It relies on patch 941 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 947 fix synxtax in 30-s4u2proxy.update
On Mon, 2012-02-13 at 11:43 -0500, Rob Crittenden wrote: > Remove quotes around a value in 30-s4u2proxy.update. The update was > failing to apply. > > I also noticed that FQDN wasn't being set properly in all cases in > sub_dict. This should fix it. > > rob This patch did not apply for me. I guess it depends on some other patch that fixes wrong DN in s4u2proxy ipaAllowedTargets: -default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX' +default: ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX Current update file says: default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX' which is a non-existent DN. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
