subject:"\[Freeipa\-users\] freeipa 4.4.0 and Ubuntu 14.04"

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

2017-01-11 Thread Andy Brittingham

Thanks! I will take a look at that.

Andy

On 1/9/17 8:37 AM, Youenn PIOLET wrote:
> Hey there,
> 
> I got the same issue after upgrading my servers to 4.4.0
> The problem comes from duplicate entries in :
> cn=permissions,cn=pbac,dc=example,dc=com
> 
> I think FreeIPA upgrade fails to create ACL on pbac specific entries,
> resulting in a conflict entry creation.
> 
> The problem is that SSSD on Ubuntu 14.04 is crashing when reading pbac
> where cn contains symbol "+".
> You should check if you got these conflict entries in
> cn=permissions,cn=pbac,dc=example,dc=com and remove them. 
> 
> Ubuntu authentication was working for me directly after the suppression.
> 
> Regards,
> 
> --
> Youenn Piolet
> piole...@gmail.com 
> /
> /
> 
> 2017-01-09 8:56 GMT+01:00 Jakub Hrozek  >:
> 
> On Fri, Jan 06, 2017 at 11:48:07AM -0500, Andy Brittingham wrote:
> > Sorry for the delay, was doing some troubleshooting.
> >
> > Here is what I know now:
> >
> > The problem is on Ubuntu hosts using older sssd versions 1.11.8 (Ubuntu
> > 14.04).
> >
> > SSSD versions 1.13.4 (Ubuntu 16.04) and 1.13.3 (CentOS 6.8) both work.
> >
> > Users in the admin group can't log into these hosts.
> >
> > I created a newadmins group and assigned a new user to it. When I add 
> the
> > "User Administrator" role the new user can't log into the hosts with 
> older
> > sssd.
> >
> > As soon as I delete the "User Administrator" role, new user has access
> > again.
> 
> So is it a role membership or a group membership that makes the
> difference?
> 
> >
> > I've pasted the last bit of logs from a sssd_domain log below. I'd be 
> happy
> > to forward the entire log, or additional logs if they will be helpful.
> 
> The log only captures a user lookup, not a login, sorry..
> 
> (This might be expected if you log in e.g. with an SSH key, in which
> case journald should be the first thing to look at at least to poinpoint
> which piece denied access..)
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> Go to http://freeipa.org for more info on the project
> 
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

2017-01-09 Thread Youenn PIOLET

Hey there,

I got the same issue after upgrading my servers to 4.4.0
The problem comes from duplicate entries in :
cn=permissions,cn=pbac,dc=example,dc=com

I think FreeIPA upgrade fails to create ACL on pbac specific entries,
resulting in a conflict entry creation.

The problem is that SSSD on Ubuntu 14.04 is crashing when reading pbac
where cn contains symbol "+".
You should check if you got these conflict entries in
cn=permissions,cn=pbac,dc=example,dc=com and remove them.

Ubuntu authentication was working for me directly after the suppression.

Regards,

--
Youenn Piolet
piole...@gmail.com


2017-01-09 8:56 GMT+01:00 Jakub Hrozek :

> On Fri, Jan 06, 2017 at 11:48:07AM -0500, Andy Brittingham wrote:
> > Sorry for the delay, was doing some troubleshooting.
> >
> > Here is what I know now:
> >
> > The problem is on Ubuntu hosts using older sssd versions 1.11.8 (Ubuntu
> > 14.04).
> >
> > SSSD versions 1.13.4 (Ubuntu 16.04) and 1.13.3 (CentOS 6.8) both work.
> >
> > Users in the admin group can't log into these hosts.
> >
> > I created a newadmins group and assigned a new user to it. When I add the
> > "User Administrator" role the new user can't log into the hosts with
> older
> > sssd.
> >
> > As soon as I delete the "User Administrator" role, new user has access
> > again.
>
> So is it a role membership or a group membership that makes the
> difference?
>
> >
> > I've pasted the last bit of logs from a sssd_domain log below. I'd be
> happy
> > to forward the entire log, or additional logs if they will be helpful.
>
> The log only captures a user lookup, not a login, sorry..
>
> (This might be expected if you log in e.g. with an SSH key, in which
> case journald should be the first thing to look at at least to poinpoint
> which piece denied access..)
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

2017-01-09 Thread Jakub Hrozek

On Fri, Jan 06, 2017 at 11:48:07AM -0500, Andy Brittingham wrote:
> Sorry for the delay, was doing some troubleshooting.
> 
> Here is what I know now:
> 
> The problem is on Ubuntu hosts using older sssd versions 1.11.8 (Ubuntu
> 14.04).
> 
> SSSD versions 1.13.4 (Ubuntu 16.04) and 1.13.3 (CentOS 6.8) both work.
> 
> Users in the admin group can't log into these hosts.
> 
> I created a newadmins group and assigned a new user to it. When I add the
> "User Administrator" role the new user can't log into the hosts with older
> sssd.
> 
> As soon as I delete the "User Administrator" role, new user has access
> again.

So is it a role membership or a group membership that makes the
difference?

> 
> I've pasted the last bit of logs from a sssd_domain log below. I'd be happy
> to forward the entire log, or additional logs if they will be helpful.

The log only captures a user lookup, not a login, sorry..

(This might be expected if you log in e.g. with an SSH key, in which
case journald should be the first thing to look at at least to poinpoint
which piece denied access..)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

2017-01-06 Thread Andy Brittingham


Sorry for the delay, was doing some troubleshooting.

Here is what I know now:

The problem is on Ubuntu hosts using older sssd versions 1.11.8 (Ubuntu 
14.04).


SSSD versions 1.13.4 (Ubuntu 16.04) and 1.13.3 (CentOS 6.8) both work.

Users in the admin group can't log into these hosts.

I created a newadmins group and assigned a new user to it. When I add 
the "User Administrator" role the new user can't log into the hosts with 
older sssd.


As soon as I delete the "User Administrator" role, new user has access 
again.


I've pasted the last bit of logs from a sssd_domain log below. I'd be 
happy to forward the entire log, or additional logs if they will be helpful.



Andy


(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: 
[loginExpirationTime]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: 
[loginAllowedTimeMap]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 29
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_process_result] 
(0x2000): Trace: sh[0x1b47990], connected[1], ops[0x1b59ab0], 
ldap[0x1b2b030]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no 
errmsg set
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [groups_by_user_done] 
(0x0040): Failed to canonicalize name, using [rob].
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sysdb_search_user_by_name] (0x0400): No such entry
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [sysdb_search_groups] 
(0x2000): Search groups with filter: (&(objectclass=group)(ghost=rob))
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [sysdb_search_groups] 
(0x2000): No such entry
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [sysdb_delete_user] 
(0x0400): Error: 2 (No such file or directory)
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [acctinfo_callback] 
(0x0100): Request processed. Returned 0,0,Success
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_process_result] 
(0x2000): Trace: sh[0x1b47990], connected[1], ops[(nil)], ldap[0x1b2b030]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_process_result] 
(0x2000): Trace: ldap_result found nothing!
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [be_get_account_info] 
(0x0100): Got request for [4099][1][name=monetra]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [be_req_set_domain] 
(0x0400): Changing request domain from [monetra.com] to [monetra.com]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse 
domain SID from [(null)]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse 
domain SID from [(null)]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_initgr_next_base] (0x0400): Searching for users with base 
[cn=accounts,dc=monetra,dc=com]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with 
[(&(uid=monetra)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0][cn=accounts,dc=monetra,dc=com].
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: 
[ipaNTSecurityIdentifier]
(Fri Jan  6 10:00:15

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

2017-01-06 Thread Jakub Hrozek

On Fri, Jan 06, 2017 at 09:01:12AM -0500, Andy Brittingham wrote:
> Hi,
> 
> I upgraded my Freeipa servers to 4.4.0-14 on CentOS 7 yesterday. None of my
> Ubuntu clients with versions < 16.04 (sssd version 1.13.4) can authenticate
> against the upgraded servers. It appears the problem is the version of sssd
> that is installed in the earlier Ubuntu versions. Is this a know issue and
> does anyone know of a work around for this? The sssd package in the PPA repo
> for 14.04 ( 1.12.5-1~trusty) didn't fix the issue.

What do the sssd logs say?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

2017-01-06 Thread Andy Brittingham


Hi,

I upgraded my Freeipa servers to 4.4.0-14 on CentOS 7 yesterday. None of 
my Ubuntu clients with versions < 16.04 (sssd version 1.13.4) can 
authenticate against the upgraded servers. It appears the problem is the 
version of sssd that is installed in the earlier Ubuntu versions. Is 
this a know issue and does anyone know of a work around for this? The 
sssd package in the PPA repo for 14.04 ( 1.12.5-1~trusty) didn't fix the 
issue.



Thanks,

Andy


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

[Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

6 matches

Site Navigation

Mail list logo

Footer information