Re: [Freeipa-users] Migration mode fun and confusion
On 03/31/2015 04:50 PM, Janelle wrote: > > > On 3/31/15 6:49 AM, Dmitri Pal wrote: >> On 03/31/2015 09:38 AM, Janelle wrote: >>> Hello again, >>> >>> Is this a feature or a bug? >>> >>> Migration mode - works fine the first time. However, if you need to run it a >>> second time because someone added either new users or groups to your LDAP >>> config and you want to bring those over, if you re-run migration, it indeed >>> brings all the new users over, but NOT their secondary groups, only primary. >>> And even if you have overwrite of the GID option set. >>> >>> Would this be expected for some reason that I may be missing, or is it a >>> bug? >>> >>> Thank you >>> ~J >>> >> Let be know if I get you right. > That's it exactly. > Ok - Bug. > :-) I am personally not convinced this is a bug. As Rob mentioned, this is a migration solution, not sync. So what likely happens is that you add new memberships to already-migrated groups (i.e. member attribute in group object), which are then not migrated as they are already present in the FreeIPA. So if anything, I would call it an RFE, for allowing overwriting the memberships for existing groups... > >> >> Setup: >> - Old LDAP server >> - IPA >> >> Users are migrated from LDAP to IPA using migrate-ds. >> Everything works as expected >> Now you add users to LDAP and put them into some groups (that were already >> been migrated the first time, right?) >> You run migrate-ds again and the new users are migrated but group membership >> is lost. >> >> Is this the scenario? >> If yes, looks like a bug. >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration mode fun and confusion
On 03/31/2015 10:50 AM, Janelle wrote: On 3/31/15 6:49 AM, Dmitri Pal wrote: On 03/31/2015 09:38 AM, Janelle wrote: Hello again, Is this a feature or a bug? Migration mode - works fine the first time. However, if you need to run it a second time because someone added either new users or groups to your LDAP config and you want to bring those over, if you re-run migration, it indeed brings all the new users over, but NOT their secondary groups, only primary. And even if you have overwrite of the GID option set. Would this be expected for some reason that I may be missing, or is it a bug? Thank you ~J Let be know if I get you right. That's it exactly. Ok - Bug. Looks like it. You know what to do :-) :-) Setup: - Old LDAP server - IPA Users are migrated from LDAP to IPA using migrate-ds. Everything works as expected Now you add users to LDAP and put them into some groups (that were already been migrated the first time, right?) You run migrate-ds again and the new users are migrated but group membership is lost. Is this the scenario? If yes, looks like a bug. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration mode fun and confusion
On 3/31/15 6:49 AM, Dmitri Pal wrote: On 03/31/2015 09:38 AM, Janelle wrote: Hello again, Is this a feature or a bug? Migration mode - works fine the first time. However, if you need to run it a second time because someone added either new users or groups to your LDAP config and you want to bring those over, if you re-run migration, it indeed brings all the new users over, but NOT their secondary groups, only primary. And even if you have overwrite of the GID option set. Would this be expected for some reason that I may be missing, or is it a bug? Thank you ~J Let be know if I get you right. That's it exactly. Ok - Bug. :-) Setup: - Old LDAP server - IPA Users are migrated from LDAP to IPA using migrate-ds. Everything works as expected Now you add users to LDAP and put them into some groups (that were already been migrated the first time, right?) You run migrate-ds again and the new users are migrated but group membership is lost. Is this the scenario? If yes, looks like a bug. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration mode fun and confusion
Dmitri Pal wrote: > On 03/31/2015 09:38 AM, Janelle wrote: >> Hello again, >> >> Is this a feature or a bug? >> >> Migration mode - works fine the first time. However, if you need to >> run it a second time because someone added either new users or groups >> to your LDAP config and you want to bring those over, if you re-run >> migration, it indeed brings all the new users over, but NOT their >> secondary groups, only primary. And even if you have overwrite of the >> GID option set. >> >> Would this be expected for some reason that I may be missing, or is it >> a bug? >> >> Thank you >> ~J >> > Let be know if I get you right. > > Setup: > - Old LDAP server > - IPA > > Users are migrated from LDAP to IPA using migrate-ds. > Everything works as expected > Now you add users to LDAP and put them into some groups (that were > already been migrated the first time, right?) > You run migrate-ds again and the new users are migrated but group > membership is lost. > > Is this the scenario? > If yes, looks like a bug. I agree. IIRC it only looks at new entries, not at changes to existing entries (this is migration after all, not sync). Changes in group membership are overlooked. Bringing in new users and looking up their groups probably wouldn't be a big deal. Re-syncing all group memberships would likely be VERY expensive. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration mode fun and confusion
On 03/31/2015 09:38 AM, Janelle wrote: Hello again, Is this a feature or a bug? Migration mode - works fine the first time. However, if you need to run it a second time because someone added either new users or groups to your LDAP config and you want to bring those over, if you re-run migration, it indeed brings all the new users over, but NOT their secondary groups, only primary. And even if you have overwrite of the GID option set. Would this be expected for some reason that I may be missing, or is it a bug? Thank you ~J Let be know if I get you right. Setup: - Old LDAP server - IPA Users are migrated from LDAP to IPA using migrate-ds. Everything works as expected Now you add users to LDAP and put them into some groups (that were already been migrated the first time, right?) You run migrate-ds again and the new users are migrated but group membership is lost. Is this the scenario? If yes, looks like a bug. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Migration mode fun and confusion
Hello again, Is this a feature or a bug? Migration mode - works fine the first time. However, if you need to run it a second time because someone added either new users or groups to your LDAP config and you want to bring those over, if you re-run migration, it indeed brings all the new users over, but NOT their secondary groups, only primary. And even if you have overwrite of the GID option set. Would this be expected for some reason that I may be missing, or is it a bug? Thank you ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration mode
2014-03-13 18:00 GMT+01:00 Lukas Slebodnik : > On (13/03/14 14:51), Jitse Klomp wrote: > >2014-03-11 16:15 GMT+01:00 Jitse Klomp : > > > >> On 03/11/2014 03:06 PM, Sumit Bose wrote: > >> > >>> On Mon, Mar 10, 2014 at 11:09:48PM +0100, Jitse Klomp wrote: > >>> > On 10-03-14 22:06, Sumit Bose wrote: > > > Thank you. Maybe there is a change in return codes between MIT > Kerberos > > 1.10 (Centos 6) and 1.11 (F20, RHEL7). Can you try to run > > > > KRB5_TRACE=/dev/stdout kinit unmigrated_u...@domain.nl > > > > on the different platforms and paste the results? I would expect to > see > > [Preauthentication failed] on Centos6 and [Program lacks support for > > encryption type] on F10 or RHEL7. > > > > bye, > > Sumit > > > > http://pastebin.centos.org/8336/ > Top one is CentOS, bottom one Fedora. Output on RHEL7 is the same as > on Fedora. > > >>> > >>> Thank you for your patience. I was able to reproduce and fix the issue. > >>> Do you want a scratch build for F20 or can you wait for the official > >>> packages? > >>> > >>> bye, > >>> Sumit > >>> > >> > >> Great! Thanks! Do you know how long it will take for the fix to land in > >> the official packages? > >> > >> - Jitse > >> > > > >A scratch build would be nice too, I need to do some more testing on > >Fedora... > > > > - Jitse > > Upstream SSSD ticket: https://fedorahosted.org/sssd/ticket/2279 > > Scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=6630169 > > x86_64 packages from scratch build: > http://koji.fedoraproject.org/koji/taskinfo?taskID=6630174 > > Brilliant! Thank for the help! - Jitse ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration mode
On (13/03/14 14:51), Jitse Klomp wrote: >2014-03-11 16:15 GMT+01:00 Jitse Klomp : > >> On 03/11/2014 03:06 PM, Sumit Bose wrote: >> >>> On Mon, Mar 10, 2014 at 11:09:48PM +0100, Jitse Klomp wrote: >>> On 10-03-14 22:06, Sumit Bose wrote: > Thank you. Maybe there is a change in return codes between MIT Kerberos > 1.10 (Centos 6) and 1.11 (F20, RHEL7). Can you try to run > > KRB5_TRACE=/dev/stdout kinit unmigrated_u...@domain.nl > > on the different platforms and paste the results? I would expect to see > [Preauthentication failed] on Centos6 and [Program lacks support for > encryption type] on F10 or RHEL7. > > bye, > Sumit > http://pastebin.centos.org/8336/ Top one is CentOS, bottom one Fedora. Output on RHEL7 is the same as on Fedora. >>> >>> Thank you for your patience. I was able to reproduce and fix the issue. >>> Do you want a scratch build for F20 or can you wait for the official >>> packages? >>> >>> bye, >>> Sumit >>> >> >> Great! Thanks! Do you know how long it will take for the fix to land in >> the official packages? >> >> - Jitse >> > >A scratch build would be nice too, I need to do some more testing on >Fedora... > > - Jitse Upstream SSSD ticket: https://fedorahosted.org/sssd/ticket/2279 Scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=6630169 x86_64 packages from scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=6630174 LS ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration mode
2014-03-11 16:15 GMT+01:00 Jitse Klomp : > On 03/11/2014 03:06 PM, Sumit Bose wrote: > >> On Mon, Mar 10, 2014 at 11:09:48PM +0100, Jitse Klomp wrote: >> >>> On 10-03-14 22:06, Sumit Bose wrote: >>> Thank you. Maybe there is a change in return codes between MIT Kerberos 1.10 (Centos 6) and 1.11 (F20, RHEL7). Can you try to run KRB5_TRACE=/dev/stdout kinit unmigrated_u...@domain.nl on the different platforms and paste the results? I would expect to see [Preauthentication failed] on Centos6 and [Program lacks support for encryption type] on F10 or RHEL7. bye, Sumit >>> >>> http://pastebin.centos.org/8336/ >>> Top one is CentOS, bottom one Fedora. Output on RHEL7 is the same as >>> on Fedora. >>> >> >> Thank you for your patience. I was able to reproduce and fix the issue. >> Do you want a scratch build for F20 or can you wait for the official >> packages? >> >> bye, >> Sumit >> > > Great! Thanks! Do you know how long it will take for the fix to land in > the official packages? > > - Jitse > A scratch build would be nice too, I need to do some more testing on Fedora... - Jitse ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration mode
On 03/11/2014 03:06 PM, Sumit Bose wrote: On Mon, Mar 10, 2014 at 11:09:48PM +0100, Jitse Klomp wrote: On 10-03-14 22:06, Sumit Bose wrote: Thank you. Maybe there is a change in return codes between MIT Kerberos 1.10 (Centos 6) and 1.11 (F20, RHEL7). Can you try to run KRB5_TRACE=/dev/stdout kinit unmigrated_u...@domain.nl on the different platforms and paste the results? I would expect to see [Preauthentication failed] on Centos6 and [Program lacks support for encryption type] on F10 or RHEL7. bye, Sumit http://pastebin.centos.org/8336/ Top one is CentOS, bottom one Fedora. Output on RHEL7 is the same as on Fedora. Thank you for your patience. I was able to reproduce and fix the issue. Do you want a scratch build for F20 or can you wait for the official packages? bye, Sumit Great! Thanks! Do you know how long it will take for the fix to land in the official packages? - Jitse ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration mode
On Mon, Mar 10, 2014 at 11:09:48PM +0100, Jitse Klomp wrote: > On 10-03-14 22:06, Sumit Bose wrote: > >Thank you. Maybe there is a change in return codes between MIT Kerberos > >1.10 (Centos 6) and 1.11 (F20, RHEL7). Can you try to run > > > >KRB5_TRACE=/dev/stdout kinit unmigrated_u...@domain.nl > > > >on the different platforms and paste the results? I would expect to see > >[Preauthentication failed] on Centos6 and [Program lacks support for > >encryption type] on F10 or RHEL7. > > > >bye, > >Sumit > > http://pastebin.centos.org/8336/ > Top one is CentOS, bottom one Fedora. Output on RHEL7 is the same as > on Fedora. Thank you for your patience. I was able to reproduce and fix the issue. Do you want a scratch build for F20 or can you wait for the official packages? bye, Sumit > > - Jitse > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration mode
On 10-03-14 22:06, Sumit Bose wrote: Thank you. Maybe there is a change in return codes between MIT Kerberos 1.10 (Centos 6) and 1.11 (F20, RHEL7). Can you try to run KRB5_TRACE=/dev/stdout kinit unmigrated_u...@domain.nl on the different platforms and paste the results? I would expect to see [Preauthentication failed] on Centos6 and [Program lacks support for encryption type] on F10 or RHEL7. bye, Sumit http://pastebin.centos.org/8336/ Top one is CentOS, bottom one Fedora. Output on RHEL7 is the same as on Fedora. - Jitse ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration mode
On Mon, 2014-03-10 at 21:47 +0100, Lukas Slebodnik wrote: > >>Output of ldapsearch *after* logging in to CentOS for the first > time: > >> krbPasswordExpiration: 20140310183603Z > >> krbLastPwdChange: 20140310183603Z > Why is the password exporation the same as the last password change? > This is normal when an admin performs a password reset, it is used to force the user to change the password on first login. Not sure this is the case, as migration code is involved, so I am not sure why it is happening in this case. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration mode
On (10/03/14 21:47), Lukas Slebodnik wrote: >On (10/03/14 15:14), Rob Crittenden wrote: >>Jitse Klomp wrote: >>>On 10-03-14 18:57, Sumit Bose wrote: On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote: >On 10-03-14 17:03, Lukas Slebodnik wrote: >>On (10/03/14 16:58), Lukas Slebodnik wrote: >>>On (10/03/14 16:35), Jitse Klomp wrote: On 10-03-14 16:10, Lukas Slebodnik wrote: >On (10/03/14 15:19), Jitse Klomp wrote: >>On 10-03-14 14:59, Jitse Klomp wrote: >>>On 10-03-14 14:35, Lukas Slebodnik wrote: On (10/03/14 13:55), Jitse Klomp wrote: >Hello all, > > >I'm migrating our OpenLDAP-based IdM-system to IPA. Instead >of using >migrate-ds I used some custom scripts to import all of our >users (~250) >and groups (~85) with IPA commands (ipa user-add etc.). To move >passwords I configured the ipa-server to run in migration >mode and did >an ldapmodify like this: > >dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl >changetype: modify >replace: userPassword >userPassword: {SHA}hash > >Logging in to a machine running CentOS and ipa-client for the >first time >works like a charm, a krbPrincipalKey is generated and >Kerberos 'just' >works. However, logging in to Fedora 20 for the first time >throws a >'permission denied'. Logging in to Fedora works after logging >in to >CentOS or the IPA migration web ui. > > >sssd_domain.nl.log, loglevel 6 >Fedora log: http://pastebin.centos.org/8281/ >CentOS log: http://pastebin.centos.org/8286/ > > >Additional details: >IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 >Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 >Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, ) [Success] ^^^ It means PAM_SYSTEM_ERR /* System error */ (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sending result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sent result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler] (0x0100): child [19510] finished successfully. > >Both CentOS and Fedora are fully up-to-date using only the base >repos. Config of the clients is done with ipa-client-install. > Could you attach log files with debug_level 9? LS >>> >>>Sure. Just sssd_domain or do you need more? >>> >Are you using two different ipa servers? >ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl > >>>sssd_domain.nl.log, loglevel 9 >>>Fedora: http://pastebin.centos.org/8291/ >Constructed uri 'ldap://vm-ipa.domain.nl' > >>>CentOS: http://pastebin.centos.org/8296/ >Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl' > >>> >>> - Jitse >>> >> >>The problem is also present in RHEL7b with >>ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64 >> >>sssd_domain.nl.log, loglevel 9 >>RHEL7b: http://pastebin.centos.org/8301/ >Constructed uri 'ldap://vm-ipa.domain.nl' > >Could you also provide krb5_child.log and ldap_child.log from >fedora machine? > (debug_level 9) > >LS > No, I'm using only one ipa server (vm-ipa). I accidentally copy-pasted without changing the domain name ;) >Any chance you could use the migrate-ds script to migrate users? I'm >not 100% sure if your own upgrade method does the same
Re: [Freeipa-users] Migration mode
On Mon, Mar 10, 2014 at 09:10:01PM +0100, Jitse Klomp wrote: > On 10-03-14 20:34, Sumit Bose wrote: > >On Mon, Mar 10, 2014 at 07:56:07PM +0100, Jitse Klomp wrote: > >>On 10-03-14 18:57, Sumit Bose wrote: > >>>On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote: > On 10-03-14 17:03, Lukas Slebodnik wrote: > >On (10/03/14 16:58), Lukas Slebodnik wrote: > >>On (10/03/14 16:35), Jitse Klomp wrote: > >>>On 10-03-14 16:10, Lukas Slebodnik wrote: > On (10/03/14 15:19), Jitse Klomp wrote: > >On 10-03-14 14:59, Jitse Klomp wrote: > >>On 10-03-14 14:35, Lukas Slebodnik wrote: > >>>On (10/03/14 13:55), Jitse Klomp wrote: > Hello all, > > > I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of > using > migrate-ds I used some custom scripts to import all of our users > (~250) > and groups (~85) with IPA commands (ipa user-add etc.). To move > passwords I configured the ipa-server to run in migration mode > and did > an ldapmodify like this: > > dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl > changetype: modify > replace: userPassword > userPassword: {SHA}hash > > Logging in to a machine running CentOS and ipa-client for the > first time > works like a charm, a krbPrincipalKey is generated and Kerberos > 'just' > works. However, logging in to Fedora 20 for the first time throws > a > 'permission denied'. Logging in to Fedora works after logging in > to > CentOS or the IPA migration web ui. > > > sssd_domain.nl.log, loglevel 6 > Fedora log: http://pastebin.centos.org/8281/ > CentOS log: http://pastebin.centos.org/8286/ > > > Additional details: > IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 > Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 > Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 > >>>(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] > >>>[ipa_resolve_callback] > >>> (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' > >>>(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] > >>>[write_pipe_handler] > >>> (0x0400): All data has been sent! > >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>>[read_pipe_handler] > >>> (0x0400): EOF received, client finished > >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>>[be_pam_handler_callback] > >>> (0x0100): Backend returned: (0, 4, ) [Success] > >>>^^^ > >>> It means PAM_SYSTEM_ERR /* > >>> System > >>>error */ > >>> > >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>>[be_pam_handler_callback] > >>> (0x0100): Sending result [4][domain.nl] > >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>>[be_pam_handler_callback] > >>> (0x0100): Sent result [4][domain.nl] > >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>>[child_sig_handler] > >>> (0x0100): child [19510] finished successfully. > >>> > > Both CentOS and Fedora are fully up-to-date using only the base > repos. Config of the clients is done with ipa-client-install. > > >>> > >>>Could you attach log files with debug_level 9? > >>> > >>>LS > >>> > >> > >>Sure. Just sssd_domain or do you need more? > >> > Are you using two different ipa servers? > ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl > > >>sssd_domain.nl.log, loglevel 9 > >>Fedora: http://pastebin.centos.org/8291/ > Constructed uri 'ldap://vm-ipa.domain.nl' > > >>CentOS: http://pastebin.centos.org/8296/ > Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl' > > >> > >> - Jitse > >> > > > >The problem is also present in RHEL7b with > >ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64 > > > >sssd_domain.nl.log, loglevel 9 > >RHEL7b: http://pastebin.centos.org/8301/ > Constructed uri 'ldap://vm-ipa.domain.nl' > > Could you also provide krb5_child.log and ldap_child.log from fedora > machine? > (debug_level 9) > > LS > > >>> > >>>No, I'm using only one ipa server (vm-ipa). I accidentally > >>>copy-pasted wi
Re: [Freeipa-users] Migration mode
On (10/03/14 15:14), Rob Crittenden wrote: >Jitse Klomp wrote: >>On 10-03-14 18:57, Sumit Bose wrote: >>>On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote: On 10-03-14 17:03, Lukas Slebodnik wrote: >On (10/03/14 16:58), Lukas Slebodnik wrote: >>On (10/03/14 16:35), Jitse Klomp wrote: >>>On 10-03-14 16:10, Lukas Slebodnik wrote: On (10/03/14 15:19), Jitse Klomp wrote: >On 10-03-14 14:59, Jitse Klomp wrote: >>On 10-03-14 14:35, Lukas Slebodnik wrote: >>>On (10/03/14 13:55), Jitse Klomp wrote: Hello all, I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using migrate-ds I used some custom scripts to import all of our users (~250) and groups (~85) with IPA commands (ipa user-add etc.). To move passwords I configured the ipa-server to run in migration mode and did an ldapmodify like this: dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl changetype: modify replace: userPassword userPassword: {SHA}hash Logging in to a machine running CentOS and ipa-client for the first time works like a charm, a krbPrincipalKey is generated and Kerberos 'just' works. However, logging in to Fedora 20 for the first time throws a 'permission denied'. Logging in to Fedora works after logging in to CentOS or the IPA migration web ui. sssd_domain.nl.log, loglevel 6 Fedora log: http://pastebin.centos.org/8281/ CentOS log: http://pastebin.centos.org/8286/ Additional details: IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 >>>(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] >>>[ipa_resolve_callback] >>> (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' >>>(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] >>>[write_pipe_handler] >>> (0x0400): All data has been sent! >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] >>>[read_pipe_handler] >>> (0x0400): EOF received, client finished >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] >>>[be_pam_handler_callback] >>> (0x0100): Backend returned: (0, 4, ) [Success] >>>^^^ >>> It means PAM_SYSTEM_ERR /* >>>System >>>error */ >>> >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] >>>[be_pam_handler_callback] >>> (0x0100): Sending result [4][domain.nl] >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] >>>[be_pam_handler_callback] >>> (0x0100): Sent result [4][domain.nl] >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] >>>[child_sig_handler] >>> (0x0100): child [19510] finished successfully. >>> Both CentOS and Fedora are fully up-to-date using only the base repos. Config of the clients is done with ipa-client-install. >>> >>>Could you attach log files with debug_level 9? >>> >>>LS >>> >> >>Sure. Just sssd_domain or do you need more? >> Are you using two different ipa servers? ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl >>sssd_domain.nl.log, loglevel 9 >>Fedora: http://pastebin.centos.org/8291/ Constructed uri 'ldap://vm-ipa.domain.nl' >>CentOS: http://pastebin.centos.org/8296/ Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl' >> >> - Jitse >> > >The problem is also present in RHEL7b with >ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64 > >sssd_domain.nl.log, loglevel 9 >RHEL7b: http://pastebin.centos.org/8301/ Constructed uri 'ldap://vm-ipa.domain.nl' Could you also provide krb5_child.log and ldap_child.log from fedora machine? (debug_level 9) LS >>> >>>No, I'm using only one ipa server (vm-ipa). I accidentally >>>copy-pasted without changing the domain name ;) >>> Any chance you could use the migrate-ds script to migrate users? I'm not 100% sure if your own upgrade method does the same thing.. >>>I don't think so, our old LDAP schema is a mess... >>> >>>krb5_child.log: http://pastebin.centos.org/8306/ >> >>[sss_child_krb5_trace_
Re: [Freeipa-users] Migration mode
On 10-03-14 20:34, Sumit Bose wrote: On Mon, Mar 10, 2014 at 07:56:07PM +0100, Jitse Klomp wrote: On 10-03-14 18:57, Sumit Bose wrote: On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote: On 10-03-14 17:03, Lukas Slebodnik wrote: On (10/03/14 16:58), Lukas Slebodnik wrote: On (10/03/14 16:35), Jitse Klomp wrote: On 10-03-14 16:10, Lukas Slebodnik wrote: On (10/03/14 15:19), Jitse Klomp wrote: On 10-03-14 14:59, Jitse Klomp wrote: On 10-03-14 14:35, Lukas Slebodnik wrote: On (10/03/14 13:55), Jitse Klomp wrote: Hello all, I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using migrate-ds I used some custom scripts to import all of our users (~250) and groups (~85) with IPA commands (ipa user-add etc.). To move passwords I configured the ipa-server to run in migration mode and did an ldapmodify like this: dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl changetype: modify replace: userPassword userPassword: {SHA}hash Logging in to a machine running CentOS and ipa-client for the first time works like a charm, a krbPrincipalKey is generated and Kerberos 'just' works. However, logging in to Fedora 20 for the first time throws a 'permission denied'. Logging in to Fedora works after logging in to CentOS or the IPA migration web ui. sssd_domain.nl.log, loglevel 6 Fedora log: http://pastebin.centos.org/8281/ CentOS log: http://pastebin.centos.org/8286/ Additional details: IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, ) [Success] ^^^ It means PAM_SYSTEM_ERR /* System error */ (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sending result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sent result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler] (0x0100): child [19510] finished successfully. Both CentOS and Fedora are fully up-to-date using only the base repos. Config of the clients is done with ipa-client-install. Could you attach log files with debug_level 9? LS Sure. Just sssd_domain or do you need more? Are you using two different ipa servers? ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl sssd_domain.nl.log, loglevel 9 Fedora: http://pastebin.centos.org/8291/ Constructed uri 'ldap://vm-ipa.domain.nl' CentOS: http://pastebin.centos.org/8296/ Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl' - Jitse The problem is also present in RHEL7b with ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64 sssd_domain.nl.log, loglevel 9 RHEL7b: http://pastebin.centos.org/8301/ Constructed uri 'ldap://vm-ipa.domain.nl' Could you also provide krb5_child.log and ldap_child.log from fedora machine? (debug_level 9) LS No, I'm using only one ipa server (vm-ipa). I accidentally copy-pasted without changing the domain name ;) Any chance you could use the migrate-ds script to migrate users? I'm not 100% sure if your own upgrade method does the same thing.. I don't think so, our old LDAP schema is a mess... krb5_child.log: http://pastebin.centos.org/8306/ [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.407384: Getting initial credentials for ji...@domain.nl [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.407699: Sending request (173 bytes) to DOMAIN.NL [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.408202: Sending initial UDP request to dgram 10.14.3.15:88 [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.425034: Received answer from dgram 10.14.3.15:88 [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.425171: Response was from master KDC [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.425241: Received error from KDC: -1765328361/Password has expired [get_and_save_tgt] (0x0020): 918: [-1765328361][Password has expired] [tgt_req_child] (0x1000): Password was expired It looks like password is expired for user jitse. My hands were faster than my mind. I wanted to wrote: It looks like password is expired for user jitse. It is really weird because it works on Centos. Do you have a synchronized time on all machines with ipa server? LS Yes, time is in sync across all machines. I think the most interesting lines in the log are these: (Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[
Re: [Freeipa-users] Migration mode
On Mon, Mar 10, 2014 at 07:56:07PM +0100, Jitse Klomp wrote: > On 10-03-14 18:57, Sumit Bose wrote: > >On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote: > >>On 10-03-14 17:03, Lukas Slebodnik wrote: > >>>On (10/03/14 16:58), Lukas Slebodnik wrote: > On (10/03/14 16:35), Jitse Klomp wrote: > >On 10-03-14 16:10, Lukas Slebodnik wrote: > >>On (10/03/14 15:19), Jitse Klomp wrote: > >>>On 10-03-14 14:59, Jitse Klomp wrote: > On 10-03-14 14:35, Lukas Slebodnik wrote: > >On (10/03/14 13:55), Jitse Klomp wrote: > >>Hello all, > >> > >> > >>I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using > >>migrate-ds I used some custom scripts to import all of our users > >>(~250) > >>and groups (~85) with IPA commands (ipa user-add etc.). To move > >>passwords I configured the ipa-server to run in migration mode and > >>did > >>an ldapmodify like this: > >> > >>dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl > >>changetype: modify > >>replace: userPassword > >>userPassword: {SHA}hash > >> > >>Logging in to a machine running CentOS and ipa-client for the first > >>time > >>works like a charm, a krbPrincipalKey is generated and Kerberos > >>'just' > >>works. However, logging in to Fedora 20 for the first time throws a > >>'permission denied'. Logging in to Fedora works after logging in to > >>CentOS or the IPA migration web ui. > >> > >> > >>sssd_domain.nl.log, loglevel 6 > >>Fedora log: http://pastebin.centos.org/8281/ > >>CentOS log: http://pastebin.centos.org/8286/ > >> > >> > >>Additional details: > >>IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 > >>Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 > >>Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 > >(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] > >[ipa_resolve_callback] > > (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' > >(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler] > > (0x0400): All data has been sent! > >(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler] > > (0x0400): EOF received, client finished > >(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >[be_pam_handler_callback] > > (0x0100): Backend returned: (0, 4, ) [Success] > >^^^ > > It means PAM_SYSTEM_ERR /* System > >error */ > > > >(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >[be_pam_handler_callback] > > (0x0100): Sending result [4][domain.nl] > >(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >[be_pam_handler_callback] > > (0x0100): Sent result [4][domain.nl] > >(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler] > > (0x0100): child [19510] finished successfully. > > > >> > >>Both CentOS and Fedora are fully up-to-date using only the base > >>repos. Config of the clients is done with ipa-client-install. > >> > > > >Could you attach log files with debug_level 9? > > > >LS > > > > Sure. Just sssd_domain or do you need more? > > >>Are you using two different ipa servers? > >>ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl > >> > sssd_domain.nl.log, loglevel 9 > Fedora: http://pastebin.centos.org/8291/ > >>Constructed uri 'ldap://vm-ipa.domain.nl' > >> > CentOS: http://pastebin.centos.org/8296/ > >>Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl' > >> > > - Jitse > > >>> > >>>The problem is also present in RHEL7b with > >>>ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64 > >>> > >>>sssd_domain.nl.log, loglevel 9 > >>>RHEL7b: http://pastebin.centos.org/8301/ > >>Constructed uri 'ldap://vm-ipa.domain.nl' > >> > >>Could you also provide krb5_child.log and ldap_child.log from fedora > >>machine? > >> (debug_level 9) > >> > >>LS > >> > > > >No, I'm using only one ipa server (vm-ipa). I accidentally > >copy-pasted without changing the domain name ;) > > > >>Any chance you could use the migrate-ds script to migrate users? I'm > >>not 100% sure if your own upgrade method does the same thing.. > >I don't think so, our old LDAP schema is a mess... > > > >krb5_child.log: http://pastebin.centos.org/8306/ > > [sss_child_krb5_trace_cb] (0x4000): [24671] > 1394465217.407384: Getting initial credentia
Re: [Freeipa-users] Migration mode
Jitse Klomp wrote: On 10-03-14 18:57, Sumit Bose wrote: On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote: On 10-03-14 17:03, Lukas Slebodnik wrote: On (10/03/14 16:58), Lukas Slebodnik wrote: On (10/03/14 16:35), Jitse Klomp wrote: On 10-03-14 16:10, Lukas Slebodnik wrote: On (10/03/14 15:19), Jitse Klomp wrote: On 10-03-14 14:59, Jitse Klomp wrote: On 10-03-14 14:35, Lukas Slebodnik wrote: On (10/03/14 13:55), Jitse Klomp wrote: Hello all, I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using migrate-ds I used some custom scripts to import all of our users (~250) and groups (~85) with IPA commands (ipa user-add etc.). To move passwords I configured the ipa-server to run in migration mode and did an ldapmodify like this: dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl changetype: modify replace: userPassword userPassword: {SHA}hash Logging in to a machine running CentOS and ipa-client for the first time works like a charm, a krbPrincipalKey is generated and Kerberos 'just' works. However, logging in to Fedora 20 for the first time throws a 'permission denied'. Logging in to Fedora works after logging in to CentOS or the IPA migration web ui. sssd_domain.nl.log, loglevel 6 Fedora log: http://pastebin.centos.org/8281/ CentOS log: http://pastebin.centos.org/8286/ Additional details: IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, ) [Success] ^^^ It means PAM_SYSTEM_ERR /* System error */ (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sending result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sent result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler] (0x0100): child [19510] finished successfully. Both CentOS and Fedora are fully up-to-date using only the base repos. Config of the clients is done with ipa-client-install. Could you attach log files with debug_level 9? LS Sure. Just sssd_domain or do you need more? Are you using two different ipa servers? ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl sssd_domain.nl.log, loglevel 9 Fedora: http://pastebin.centos.org/8291/ Constructed uri 'ldap://vm-ipa.domain.nl' CentOS: http://pastebin.centos.org/8296/ Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl' - Jitse The problem is also present in RHEL7b with ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64 sssd_domain.nl.log, loglevel 9 RHEL7b: http://pastebin.centos.org/8301/ Constructed uri 'ldap://vm-ipa.domain.nl' Could you also provide krb5_child.log and ldap_child.log from fedora machine? (debug_level 9) LS No, I'm using only one ipa server (vm-ipa). I accidentally copy-pasted without changing the domain name ;) Any chance you could use the migrate-ds script to migrate users? I'm not 100% sure if your own upgrade method does the same thing.. I don't think so, our old LDAP schema is a mess... krb5_child.log: http://pastebin.centos.org/8306/ [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.407384: Getting initial credentials for ji...@domain.nl [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.407699: Sending request (173 bytes) to DOMAIN.NL [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.408202: Sending initial UDP request to dgram 10.14.3.15:88 [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.425034: Received answer from dgram 10.14.3.15:88 [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.425171: Response was from master KDC [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.425241: Received error from KDC: -1765328361/Password has expired [get_and_save_tgt] (0x0020): 918: [-1765328361][Password has expired] [tgt_req_child] (0x1000): Password was expired It looks like password is expired for user jitse. My hands were faster than my mind. I wanted to wrote: It looks like password is expired for user jitse. It is really weird because it works on Centos. Do you have a synchronized time on all machines with ipa server? LS Yes, time is in sync across all machines. I think the most interesting lines in the log are these: (Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671 [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.441823: Process
Re: [Freeipa-users] Migration mode
On 10-03-14 18:57, Sumit Bose wrote: On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote: On 10-03-14 17:03, Lukas Slebodnik wrote: On (10/03/14 16:58), Lukas Slebodnik wrote: On (10/03/14 16:35), Jitse Klomp wrote: On 10-03-14 16:10, Lukas Slebodnik wrote: On (10/03/14 15:19), Jitse Klomp wrote: On 10-03-14 14:59, Jitse Klomp wrote: On 10-03-14 14:35, Lukas Slebodnik wrote: On (10/03/14 13:55), Jitse Klomp wrote: Hello all, I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using migrate-ds I used some custom scripts to import all of our users (~250) and groups (~85) with IPA commands (ipa user-add etc.). To move passwords I configured the ipa-server to run in migration mode and did an ldapmodify like this: dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl changetype: modify replace: userPassword userPassword: {SHA}hash Logging in to a machine running CentOS and ipa-client for the first time works like a charm, a krbPrincipalKey is generated and Kerberos 'just' works. However, logging in to Fedora 20 for the first time throws a 'permission denied'. Logging in to Fedora works after logging in to CentOS or the IPA migration web ui. sssd_domain.nl.log, loglevel 6 Fedora log: http://pastebin.centos.org/8281/ CentOS log: http://pastebin.centos.org/8286/ Additional details: IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, ) [Success] ^^^ It means PAM_SYSTEM_ERR /* System error */ (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sending result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sent result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler] (0x0100): child [19510] finished successfully. Both CentOS and Fedora are fully up-to-date using only the base repos. Config of the clients is done with ipa-client-install. Could you attach log files with debug_level 9? LS Sure. Just sssd_domain or do you need more? Are you using two different ipa servers? ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl sssd_domain.nl.log, loglevel 9 Fedora: http://pastebin.centos.org/8291/ Constructed uri 'ldap://vm-ipa.domain.nl' CentOS: http://pastebin.centos.org/8296/ Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl' - Jitse The problem is also present in RHEL7b with ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64 sssd_domain.nl.log, loglevel 9 RHEL7b: http://pastebin.centos.org/8301/ Constructed uri 'ldap://vm-ipa.domain.nl' Could you also provide krb5_child.log and ldap_child.log from fedora machine? (debug_level 9) LS No, I'm using only one ipa server (vm-ipa). I accidentally copy-pasted without changing the domain name ;) Any chance you could use the migrate-ds script to migrate users? I'm not 100% sure if your own upgrade method does the same thing.. I don't think so, our old LDAP schema is a mess... krb5_child.log: http://pastebin.centos.org/8306/ [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.407384: Getting initial credentials for ji...@domain.nl [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.407699: Sending request (173 bytes) to DOMAIN.NL [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.408202: Sending initial UDP request to dgram 10.14.3.15:88 [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.425034: Received answer from dgram 10.14.3.15:88 [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.425171: Response was from master KDC [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.425241: Received error from KDC: -1765328361/Password has expired [get_and_save_tgt] (0x0020): 918: [-1765328361][Password has expired] [tgt_req_child] (0x1000): Password was expired It looks like password is expired for user jitse. My hands were faster than my mind. I wanted to wrote: It looks like password is expired for user jitse. It is really weird because it works on Centos. Do you have a synchronized time on all machines with ipa server? LS Yes, time is in sync across all machines. I think the most interesting lines in the log are these: (Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671 [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.441823: Processing preauth types: 1
Re: [Freeipa-users] Migration mode
On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote: > On 10-03-14 17:03, Lukas Slebodnik wrote: > >On (10/03/14 16:58), Lukas Slebodnik wrote: > >>On (10/03/14 16:35), Jitse Klomp wrote: > >>>On 10-03-14 16:10, Lukas Slebodnik wrote: > On (10/03/14 15:19), Jitse Klomp wrote: > >On 10-03-14 14:59, Jitse Klomp wrote: > >>On 10-03-14 14:35, Lukas Slebodnik wrote: > >>>On (10/03/14 13:55), Jitse Klomp wrote: > Hello all, > > > I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using > migrate-ds I used some custom scripts to import all of our users > (~250) > and groups (~85) with IPA commands (ipa user-add etc.). To move > passwords I configured the ipa-server to run in migration mode and did > an ldapmodify like this: > > dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl > changetype: modify > replace: userPassword > userPassword: {SHA}hash > > Logging in to a machine running CentOS and ipa-client for the first > time > works like a charm, a krbPrincipalKey is generated and Kerberos 'just' > works. However, logging in to Fedora 20 for the first time throws a > 'permission denied'. Logging in to Fedora works after logging in to > CentOS or the IPA migration web ui. > > > sssd_domain.nl.log, loglevel 6 > Fedora log: http://pastebin.centos.org/8281/ > CentOS log: http://pastebin.centos.org/8286/ > > > Additional details: > IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 > Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 > Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 > >>>(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback] > >>> (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' > >>>(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler] > >>> (0x0400): All data has been sent! > >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler] > >>> (0x0400): EOF received, client finished > >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>>[be_pam_handler_callback] > >>> (0x0100): Backend returned: (0, 4, ) [Success] > >>>^^^ > >>> It means PAM_SYSTEM_ERR /* System > >>>error */ > >>> > >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>>[be_pam_handler_callback] > >>> (0x0100): Sending result [4][domain.nl] > >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>>[be_pam_handler_callback] > >>> (0x0100): Sent result [4][domain.nl] > >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler] > >>> (0x0100): child [19510] finished successfully. > >>> > > Both CentOS and Fedora are fully up-to-date using only the base > repos. Config of the clients is done with ipa-client-install. > > >>> > >>>Could you attach log files with debug_level 9? > >>> > >>>LS > >>> > >> > >>Sure. Just sssd_domain or do you need more? > >> > Are you using two different ipa servers? > ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl > > >>sssd_domain.nl.log, loglevel 9 > >>Fedora: http://pastebin.centos.org/8291/ > Constructed uri 'ldap://vm-ipa.domain.nl' > > >>CentOS: http://pastebin.centos.org/8296/ > Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl' > > >> > >> - Jitse > >> > > > >The problem is also present in RHEL7b with > >ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64 > > > >sssd_domain.nl.log, loglevel 9 > >RHEL7b: http://pastebin.centos.org/8301/ > Constructed uri 'ldap://vm-ipa.domain.nl' > > Could you also provide krb5_child.log and ldap_child.log from fedora > machine? > (debug_level 9) > > LS > > >>> > >>>No, I'm using only one ipa server (vm-ipa). I accidentally > >>>copy-pasted without changing the domain name ;) > >>> > Any chance you could use the migrate-ds script to migrate users? I'm > not 100% sure if your own upgrade method does the same thing.. > >>>I don't think so, our old LDAP schema is a mess... > >>> > >>>krb5_child.log: http://pastebin.centos.org/8306/ > >> > >>[sss_child_krb5_trace_cb] (0x4000): [24671] > >>1394465217.407384: Getting initial credentials for ji...@domain.nl > >>[sss_child_krb5_trace_cb] (0x4000): [24671] > >>1394465217.407699: Sending request (173 bytes) to DOMAIN.NL > >>[sss_child_krb5_trace_cb] (0x4000): [24671] > >>1394465217.408202: Sending initial UDP request to dgram 10.14.3.15:88 > >>[sss_child_krb5_trace_cb] (0x4000): [24671] > >>1394465217.425034: Received answer from dgram
Re: [Freeipa-users] Migration mode
Lukas Slebodnik wrote: On (10/03/14 16:58), Lukas Slebodnik wrote: On (10/03/14 16:35), Jitse Klomp wrote: On 10-03-14 16:10, Lukas Slebodnik wrote: On (10/03/14 15:19), Jitse Klomp wrote: On 10-03-14 14:59, Jitse Klomp wrote: On 10-03-14 14:35, Lukas Slebodnik wrote: On (10/03/14 13:55), Jitse Klomp wrote: Hello all, I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using migrate-ds I used some custom scripts to import all of our users (~250) and groups (~85) with IPA commands (ipa user-add etc.). To move passwords I configured the ipa-server to run in migration mode and did an ldapmodify like this: dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl changetype: modify replace: userPassword userPassword: {SHA}hash Logging in to a machine running CentOS and ipa-client for the first time works like a charm, a krbPrincipalKey is generated and Kerberos 'just' works. However, logging in to Fedora 20 for the first time throws a 'permission denied'. Logging in to Fedora works after logging in to CentOS or the IPA migration web ui. sssd_domain.nl.log, loglevel 6 Fedora log: http://pastebin.centos.org/8281/ CentOS log: http://pastebin.centos.org/8286/ Additional details: IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, ) [Success] ^^^ It means PAM_SYSTEM_ERR /* System error */ (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sending result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sent result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler] (0x0100): child [19510] finished successfully. Both CentOS and Fedora are fully up-to-date using only the base repos. Config of the clients is done with ipa-client-install. Could you attach log files with debug_level 9? LS Sure. Just sssd_domain or do you need more? Are you using two different ipa servers? ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl sssd_domain.nl.log, loglevel 9 Fedora: http://pastebin.centos.org/8291/ Constructed uri 'ldap://vm-ipa.domain.nl' CentOS: http://pastebin.centos.org/8296/ Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl' - Jitse The problem is also present in RHEL7b with ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64 sssd_domain.nl.log, loglevel 9 RHEL7b: http://pastebin.centos.org/8301/ Constructed uri 'ldap://vm-ipa.domain.nl' Could you also provide krb5_child.log and ldap_child.log from fedora machine? (debug_level 9) LS No, I'm using only one ipa server (vm-ipa). I accidentally copy-pasted without changing the domain name ;) Any chance you could use the migrate-ds script to migrate users? I'm not 100% sure if your own upgrade method does the same thing.. I don't think so, our old LDAP schema is a mess... krb5_child.log: http://pastebin.centos.org/8306/ [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.407384: Getting initial credentials for ji...@domain.nl [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.407699: Sending request (173 bytes) to DOMAIN.NL [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.408202: Sending initial UDP request to dgram 10.14.3.15:88 [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.425034: Received answer from dgram 10.14.3.15:88 [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.425171: Response was from master KDC [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.425241: Received error from KDC: -1765328361/Password has expired [get_and_save_tgt] (0x0020): 918: [-1765328361][Password has expired] [tgt_req_child] (0x1000): Password was expired It looks like password is expired for user jitse. My hands were faster than my mind. I wanted to wrote: It looks like password is expired for user jitse. It is really weird because it works on Centos. Do you have a synchronized time on all machines with ipa server? I'd be curious what the krbPasswordExpiration is for this user. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration mode
On 10-03-14 17:03, Lukas Slebodnik wrote: On (10/03/14 16:58), Lukas Slebodnik wrote: On (10/03/14 16:35), Jitse Klomp wrote: On 10-03-14 16:10, Lukas Slebodnik wrote: On (10/03/14 15:19), Jitse Klomp wrote: On 10-03-14 14:59, Jitse Klomp wrote: On 10-03-14 14:35, Lukas Slebodnik wrote: On (10/03/14 13:55), Jitse Klomp wrote: Hello all, I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using migrate-ds I used some custom scripts to import all of our users (~250) and groups (~85) with IPA commands (ipa user-add etc.). To move passwords I configured the ipa-server to run in migration mode and did an ldapmodify like this: dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl changetype: modify replace: userPassword userPassword: {SHA}hash Logging in to a machine running CentOS and ipa-client for the first time works like a charm, a krbPrincipalKey is generated and Kerberos 'just' works. However, logging in to Fedora 20 for the first time throws a 'permission denied'. Logging in to Fedora works after logging in to CentOS or the IPA migration web ui. sssd_domain.nl.log, loglevel 6 Fedora log: http://pastebin.centos.org/8281/ CentOS log: http://pastebin.centos.org/8286/ Additional details: IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, ) [Success] ^^^ It means PAM_SYSTEM_ERR /* System error */ (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sending result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sent result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler] (0x0100): child [19510] finished successfully. Both CentOS and Fedora are fully up-to-date using only the base repos. Config of the clients is done with ipa-client-install. Could you attach log files with debug_level 9? LS Sure. Just sssd_domain or do you need more? Are you using two different ipa servers? ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl sssd_domain.nl.log, loglevel 9 Fedora: http://pastebin.centos.org/8291/ Constructed uri 'ldap://vm-ipa.domain.nl' CentOS: http://pastebin.centos.org/8296/ Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl' - Jitse The problem is also present in RHEL7b with ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64 sssd_domain.nl.log, loglevel 9 RHEL7b: http://pastebin.centos.org/8301/ Constructed uri 'ldap://vm-ipa.domain.nl' Could you also provide krb5_child.log and ldap_child.log from fedora machine? (debug_level 9) LS No, I'm using only one ipa server (vm-ipa). I accidentally copy-pasted without changing the domain name ;) Any chance you could use the migrate-ds script to migrate users? I'm not 100% sure if your own upgrade method does the same thing.. I don't think so, our old LDAP schema is a mess... krb5_child.log: http://pastebin.centos.org/8306/ [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.407384: Getting initial credentials for ji...@domain.nl [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.407699: Sending request (173 bytes) to DOMAIN.NL [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.408202: Sending initial UDP request to dgram 10.14.3.15:88 [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.425034: Received answer from dgram 10.14.3.15:88 [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.425171: Response was from master KDC [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.425241: Received error from KDC: -1765328361/Password has expired [get_and_save_tgt] (0x0020): 918: [-1765328361][Password has expired] [tgt_req_child] (0x1000): Password was expired It looks like password is expired for user jitse. My hands were faster than my mind. I wanted to wrote: It looks like password is expired for user jitse. It is really weird because it works on Centos. Do you have a synchronized time on all machines with ipa server? LS Yes, time is in sync across all machines. I think the most interesting lines in the log are these: (Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671 [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.441823: Processing preauth types: 136, 19, 2, 133 (Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671 [map_krb5_error] (0x002
Re: [Freeipa-users] Migration mode
On (10/03/14 16:58), Lukas Slebodnik wrote: >On (10/03/14 16:35), Jitse Klomp wrote: >>On 10-03-14 16:10, Lukas Slebodnik wrote: >>>On (10/03/14 15:19), Jitse Klomp wrote: On 10-03-14 14:59, Jitse Klomp wrote: >On 10-03-14 14:35, Lukas Slebodnik wrote: >>On (10/03/14 13:55), Jitse Klomp wrote: >>>Hello all, >>> >>> >>>I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using >>>migrate-ds I used some custom scripts to import all of our users (~250) >>>and groups (~85) with IPA commands (ipa user-add etc.). To move >>>passwords I configured the ipa-server to run in migration mode and did >>>an ldapmodify like this: >>> >>>dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl >>>changetype: modify >>>replace: userPassword >>>userPassword: {SHA}hash >>> >>>Logging in to a machine running CentOS and ipa-client for the first time >>>works like a charm, a krbPrincipalKey is generated and Kerberos 'just' >>>works. However, logging in to Fedora 20 for the first time throws a >>>'permission denied'. Logging in to Fedora works after logging in to >>>CentOS or the IPA migration web ui. >>> >>> >>>sssd_domain.nl.log, loglevel 6 >>>Fedora log: http://pastebin.centos.org/8281/ >>>CentOS log: http://pastebin.centos.org/8286/ >>> >>> >>>Additional details: >>>IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 >>>Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 >>>Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 >>(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback] >> (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' >>(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler] >> (0x0400): All data has been sent! >>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler] >> (0x0400): EOF received, client finished >>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] >>[be_pam_handler_callback] >> (0x0100): Backend returned: (0, 4, ) [Success] >>^^^ >> It means PAM_SYSTEM_ERR /* System >>error */ >> >>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] >>[be_pam_handler_callback] >> (0x0100): Sending result [4][domain.nl] >>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] >>[be_pam_handler_callback] >> (0x0100): Sent result [4][domain.nl] >>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler] >> (0x0100): child [19510] finished successfully. >> >>> >>>Both CentOS and Fedora are fully up-to-date using only the base >>>repos. Config of the clients is done with ipa-client-install. >>> >> >>Could you attach log files with debug_level 9? >> >>LS >> > >Sure. Just sssd_domain or do you need more? > >>>Are you using two different ipa servers? >>>ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl >>> >sssd_domain.nl.log, loglevel 9 >Fedora: http://pastebin.centos.org/8291/ >>>Constructed uri 'ldap://vm-ipa.domain.nl' >>> >CentOS: http://pastebin.centos.org/8296/ >>>Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl' >>> > > - Jitse > The problem is also present in RHEL7b with ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64 sssd_domain.nl.log, loglevel 9 RHEL7b: http://pastebin.centos.org/8301/ >>>Constructed uri 'ldap://vm-ipa.domain.nl' >>> >>>Could you also provide krb5_child.log and ldap_child.log from fedora machine? >>> (debug_level 9) >>> >>>LS >>> >> >>No, I'm using only one ipa server (vm-ipa). I accidentally >>copy-pasted without changing the domain name ;) >> >>> Any chance you could use the migrate-ds script to migrate users? I'm >>> not 100% sure if your own upgrade method does the same thing.. >>I don't think so, our old LDAP schema is a mess... >> >>krb5_child.log: http://pastebin.centos.org/8306/ > >[sss_child_krb5_trace_cb] (0x4000): [24671] >1394465217.407384: Getting initial credentials for ji...@domain.nl >[sss_child_krb5_trace_cb] (0x4000): [24671] >1394465217.407699: Sending request (173 bytes) to DOMAIN.NL >[sss_child_krb5_trace_cb] (0x4000): [24671] >1394465217.408202: Sending initial UDP request to dgram 10.14.3.15:88 >[sss_child_krb5_trace_cb] (0x4000): [24671] >1394465217.425034: Received answer from dgram 10.14.3.15:88 >[sss_child_krb5_trace_cb] (0x4000): [24671] >1394465217.425171: Response was from master KDC >[sss_child_krb5_trace_cb] (0x4000): [24671] >1394465217.425241: Received error from KDC: -1765328361/Password has > expired >[get_and_save_tgt] (0x0020): 918: [-1765328361][Password has expired] >[tgt_req_child] (0x1000): Password was expired > >It looks like password is expired for user jitse. > My hands were faster than my mind. I wanted to wrote: It loo
Re: [Freeipa-users] Migration mode
On (10/03/14 16:35), Jitse Klomp wrote: >On 10-03-14 16:10, Lukas Slebodnik wrote: >>On (10/03/14 15:19), Jitse Klomp wrote: >>>On 10-03-14 14:59, Jitse Klomp wrote: On 10-03-14 14:35, Lukas Slebodnik wrote: >On (10/03/14 13:55), Jitse Klomp wrote: >>Hello all, >> >> >>I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using >>migrate-ds I used some custom scripts to import all of our users (~250) >>and groups (~85) with IPA commands (ipa user-add etc.). To move >>passwords I configured the ipa-server to run in migration mode and did >>an ldapmodify like this: >> >>dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl >>changetype: modify >>replace: userPassword >>userPassword: {SHA}hash >> >>Logging in to a machine running CentOS and ipa-client for the first time >>works like a charm, a krbPrincipalKey is generated and Kerberos 'just' >>works. However, logging in to Fedora 20 for the first time throws a >>'permission denied'. Logging in to Fedora works after logging in to >>CentOS or the IPA migration web ui. >> >> >>sssd_domain.nl.log, loglevel 6 >>Fedora log: http://pastebin.centos.org/8281/ >>CentOS log: http://pastebin.centos.org/8286/ >> >> >>Additional details: >>IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 >>Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 >>Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 >(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback] > (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' >(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler] > (0x0400): All data has been sent! >(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler] > (0x0400): EOF received, client finished >(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] >[be_pam_handler_callback] > (0x0100): Backend returned: (0, 4, ) [Success] >^^^ > It means PAM_SYSTEM_ERR /* System >error */ > >(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] >[be_pam_handler_callback] > (0x0100): Sending result [4][domain.nl] >(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] >[be_pam_handler_callback] > (0x0100): Sent result [4][domain.nl] >(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler] > (0x0100): child [19510] finished successfully. > >> >>Both CentOS and Fedora are fully up-to-date using only the base >>repos. Config of the clients is done with ipa-client-install. >> > >Could you attach log files with debug_level 9? > >LS > Sure. Just sssd_domain or do you need more? >>Are you using two different ipa servers? >>ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl >> sssd_domain.nl.log, loglevel 9 Fedora: http://pastebin.centos.org/8291/ >>Constructed uri 'ldap://vm-ipa.domain.nl' >> CentOS: http://pastebin.centos.org/8296/ >>Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl' >> - Jitse >>> >>>The problem is also present in RHEL7b with >>>ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64 >>> >>>sssd_domain.nl.log, loglevel 9 >>>RHEL7b: http://pastebin.centos.org/8301/ >>Constructed uri 'ldap://vm-ipa.domain.nl' >> >>Could you also provide krb5_child.log and ldap_child.log from fedora machine? >> (debug_level 9) >> >>LS >> > >No, I'm using only one ipa server (vm-ipa). I accidentally >copy-pasted without changing the domain name ;) > >> Any chance you could use the migrate-ds script to migrate users? I'm >> not 100% sure if your own upgrade method does the same thing.. >I don't think so, our old LDAP schema is a mess... > >krb5_child.log: http://pastebin.centos.org/8306/ [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.407384: Getting initial credentials for ji...@domain.nl [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.407699: Sending request (173 bytes) to DOMAIN.NL [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.408202: Sending initial UDP request to dgram 10.14.3.15:88 [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.425034: Received answer from dgram 10.14.3.15:88 [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.425171: Response was from master KDC [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.425241: Received error from KDC: -1765328361/Password has expired [get_and_save_tgt] (0x0020): 918: [-1765328361][Password has expired] [tgt_req_child] (0x1000): Password was expired It looks like password is expired for user jitse. LS >ldap_child.log: http://pastebin.centos.org/8311/ > > - Jitse ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration mode
On 10-03-14 16:10, Lukas Slebodnik wrote: On (10/03/14 15:19), Jitse Klomp wrote: On 10-03-14 14:59, Jitse Klomp wrote: On 10-03-14 14:35, Lukas Slebodnik wrote: On (10/03/14 13:55), Jitse Klomp wrote: Hello all, I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using migrate-ds I used some custom scripts to import all of our users (~250) and groups (~85) with IPA commands (ipa user-add etc.). To move passwords I configured the ipa-server to run in migration mode and did an ldapmodify like this: dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl changetype: modify replace: userPassword userPassword: {SHA}hash Logging in to a machine running CentOS and ipa-client for the first time works like a charm, a krbPrincipalKey is generated and Kerberos 'just' works. However, logging in to Fedora 20 for the first time throws a 'permission denied'. Logging in to Fedora works after logging in to CentOS or the IPA migration web ui. sssd_domain.nl.log, loglevel 6 Fedora log: http://pastebin.centos.org/8281/ CentOS log: http://pastebin.centos.org/8286/ Additional details: IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, ) [Success] ^^^ It means PAM_SYSTEM_ERR /* System error */ (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sending result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sent result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler] (0x0100): child [19510] finished successfully. Both CentOS and Fedora are fully up-to-date using only the base repos. Config of the clients is done with ipa-client-install. Could you attach log files with debug_level 9? LS Sure. Just sssd_domain or do you need more? Are you using two different ipa servers? ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl sssd_domain.nl.log, loglevel 9 Fedora: http://pastebin.centos.org/8291/ Constructed uri 'ldap://vm-ipa.domain.nl' CentOS: http://pastebin.centos.org/8296/ Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl' - Jitse The problem is also present in RHEL7b with ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64 sssd_domain.nl.log, loglevel 9 RHEL7b: http://pastebin.centos.org/8301/ Constructed uri 'ldap://vm-ipa.domain.nl' Could you also provide krb5_child.log and ldap_child.log from fedora machine? (debug_level 9) LS No, I'm using only one ipa server (vm-ipa). I accidentally copy-pasted without changing the domain name ;) > Any chance you could use the migrate-ds script to migrate users? I'm > not 100% sure if your own upgrade method does the same thing.. I don't think so, our old LDAP schema is a mess... krb5_child.log: http://pastebin.centos.org/8306/ ldap_child.log: http://pastebin.centos.org/8311/ - Jitse ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration mode
On (10/03/14 15:19), Jitse Klomp wrote: >On 10-03-14 14:59, Jitse Klomp wrote: >>On 10-03-14 14:35, Lukas Slebodnik wrote: >>>On (10/03/14 13:55), Jitse Klomp wrote: Hello all, I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using migrate-ds I used some custom scripts to import all of our users (~250) and groups (~85) with IPA commands (ipa user-add etc.). To move passwords I configured the ipa-server to run in migration mode and did an ldapmodify like this: dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl changetype: modify replace: userPassword userPassword: {SHA}hash Logging in to a machine running CentOS and ipa-client for the first time works like a charm, a krbPrincipalKey is generated and Kerberos 'just' works. However, logging in to Fedora 20 for the first time throws a 'permission denied'. Logging in to Fedora works after logging in to CentOS or the IPA migration web ui. sssd_domain.nl.log, loglevel 6 Fedora log: http://pastebin.centos.org/8281/ CentOS log: http://pastebin.centos.org/8286/ Additional details: IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 >>>(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback] >>> (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' >>>(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler] >>> (0x0400): All data has been sent! >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler] >>> (0x0400): EOF received, client finished >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] >>>[be_pam_handler_callback] >>> (0x0100): Backend returned: (0, 4, ) [Success] >>>^^^ >>> It means PAM_SYSTEM_ERR /* System >>>error */ >>> >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] >>>[be_pam_handler_callback] >>> (0x0100): Sending result [4][domain.nl] >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] >>>[be_pam_handler_callback] >>> (0x0100): Sent result [4][domain.nl] >>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler] >>> (0x0100): child [19510] finished successfully. >>> Both CentOS and Fedora are fully up-to-date using only the base repos. Config of the clients is done with ipa-client-install. >>> >>>Could you attach log files with debug_level 9? >>> >>>LS >>> >> >>Sure. Just sssd_domain or do you need more? >> Are you using two different ipa servers? ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl >>sssd_domain.nl.log, loglevel 9 >>Fedora: http://pastebin.centos.org/8291/ Constructed uri 'ldap://vm-ipa.domain.nl' >>CentOS: http://pastebin.centos.org/8296/ Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl' >> >> - Jitse >> > >The problem is also present in RHEL7b with >ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64 > >sssd_domain.nl.log, loglevel 9 >RHEL7b: http://pastebin.centos.org/8301/ Constructed uri 'ldap://vm-ipa.domain.nl' Could you also provide krb5_child.log and ldap_child.log from fedora machine? (debug_level 9) LS ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration mode
On Mon, Mar 10, 2014 at 03:19:28PM +0100, Jitse Klomp wrote: > On 10-03-14 14:59, Jitse Klomp wrote: > >On 10-03-14 14:35, Lukas Slebodnik wrote: > >>On (10/03/14 13:55), Jitse Klomp wrote: > >>>Hello all, > >>> > >>> > >>>I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using > >>>migrate-ds I used some custom scripts to import all of our users (~250) > >>>and groups (~85) with IPA commands (ipa user-add etc.). To move > >>>passwords I configured the ipa-server to run in migration mode and did > >>>an ldapmodify like this: > >>> > >>>dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl > >>>changetype: modify > >>>replace: userPassword > >>>userPassword: {SHA}hash > >>> > >>>Logging in to a machine running CentOS and ipa-client for the first time > >>>works like a charm, a krbPrincipalKey is generated and Kerberos 'just' > >>>works. However, logging in to Fedora 20 for the first time throws a > >>>'permission denied'. Logging in to Fedora works after logging in to > >>>CentOS or the IPA migration web ui. > >>> > >>> > >>>sssd_domain.nl.log, loglevel 6 > >>>Fedora log: http://pastebin.centos.org/8281/ > >>>CentOS log: http://pastebin.centos.org/8286/ > >>> > >>> > >>>Additional details: > >>>IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 > >>>Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 > >>>Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 > >>(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback] > >> (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' > >>(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler] > >> (0x0400): All data has been sent! > >>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler] > >> (0x0400): EOF received, client finished > >>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>[be_pam_handler_callback] > >> (0x0100): Backend returned: (0, 4, ) [Success] > >>^^^ > >> It means PAM_SYSTEM_ERR /* System > >>error */ > >> > >>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>[be_pam_handler_callback] > >> (0x0100): Sending result [4][domain.nl] > >>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] > >>[be_pam_handler_callback] > >> (0x0100): Sent result [4][domain.nl] > >>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler] > >> (0x0100): child [19510] finished successfully. > >> > >>> > >>>Both CentOS and Fedora are fully up-to-date using only the base > >>>repos. Config of the clients is done with ipa-client-install. > >>> > >> > >>Could you attach log files with debug_level 9? > >> > >>LS > >> > > > >Sure. Just sssd_domain or do you need more? > > > >sssd_domain.nl.log, loglevel 9 > >Fedora: http://pastebin.centos.org/8291/ > >CentOS: http://pastebin.centos.org/8296/ > > > > - Jitse > > > > The problem is also present in RHEL7b with > ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64 > > sssd_domain.nl.log, loglevel 9 > RHEL7b: http://pastebin.centos.org/8301/ > > - Jitse Any chance you could use the migrate-ds script to migrate users? I'm not 100% sure if your own upgrade method does the same thing.. To further analyze the System Error, we need the krb5_child.log ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration mode
On 10-03-14 14:59, Jitse Klomp wrote: On 10-03-14 14:35, Lukas Slebodnik wrote: On (10/03/14 13:55), Jitse Klomp wrote: Hello all, I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using migrate-ds I used some custom scripts to import all of our users (~250) and groups (~85) with IPA commands (ipa user-add etc.). To move passwords I configured the ipa-server to run in migration mode and did an ldapmodify like this: dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl changetype: modify replace: userPassword userPassword: {SHA}hash Logging in to a machine running CentOS and ipa-client for the first time works like a charm, a krbPrincipalKey is generated and Kerberos 'just' works. However, logging in to Fedora 20 for the first time throws a 'permission denied'. Logging in to Fedora works after logging in to CentOS or the IPA migration web ui. sssd_domain.nl.log, loglevel 6 Fedora log: http://pastebin.centos.org/8281/ CentOS log: http://pastebin.centos.org/8286/ Additional details: IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, ) [Success] ^^^ It means PAM_SYSTEM_ERR /* System error */ (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sending result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sent result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler] (0x0100): child [19510] finished successfully. Both CentOS and Fedora are fully up-to-date using only the base repos. Config of the clients is done with ipa-client-install. Could you attach log files with debug_level 9? LS Sure. Just sssd_domain or do you need more? sssd_domain.nl.log, loglevel 9 Fedora: http://pastebin.centos.org/8291/ CentOS: http://pastebin.centos.org/8296/ - Jitse The problem is also present in RHEL7b with ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64 sssd_domain.nl.log, loglevel 9 RHEL7b: http://pastebin.centos.org/8301/ - Jitse ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration mode
On 10-03-14 14:35, Lukas Slebodnik wrote: On (10/03/14 13:55), Jitse Klomp wrote: Hello all, I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using migrate-ds I used some custom scripts to import all of our users (~250) and groups (~85) with IPA commands (ipa user-add etc.). To move passwords I configured the ipa-server to run in migration mode and did an ldapmodify like this: dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl changetype: modify replace: userPassword userPassword: {SHA}hash Logging in to a machine running CentOS and ipa-client for the first time works like a charm, a krbPrincipalKey is generated and Kerberos 'just' works. However, logging in to Fedora 20 for the first time throws a 'permission denied'. Logging in to Fedora works after logging in to CentOS or the IPA migration web ui. sssd_domain.nl.log, loglevel 6 Fedora log: http://pastebin.centos.org/8281/ CentOS log: http://pastebin.centos.org/8286/ Additional details: IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, ) [Success] ^^^ It means PAM_SYSTEM_ERR /* System error */ (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sending result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sent result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler] (0x0100): child [19510] finished successfully. Both CentOS and Fedora are fully up-to-date using only the base repos. Config of the clients is done with ipa-client-install. Could you attach log files with debug_level 9? LS Sure. Just sssd_domain or do you need more? sssd_domain.nl.log, loglevel 9 Fedora: http://pastebin.centos.org/8291/ CentOS: http://pastebin.centos.org/8296/ - Jitse ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration mode
On (10/03/14 13:55), Jitse Klomp wrote: >Hello all, > > >I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using >migrate-ds I used some custom scripts to import all of our users (~250) >and groups (~85) with IPA commands (ipa user-add etc.). To move >passwords I configured the ipa-server to run in migration mode and did >an ldapmodify like this: > >dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl >changetype: modify >replace: userPassword >userPassword: {SHA}hash > >Logging in to a machine running CentOS and ipa-client for the first time >works like a charm, a krbPrincipalKey is generated and Kerberos 'just' >works. However, logging in to Fedora 20 for the first time throws a >'permission denied'. Logging in to Fedora works after logging in to >CentOS or the IPA migration web ui. > > >sssd_domain.nl.log, loglevel 6 >Fedora log: http://pastebin.centos.org/8281/ >CentOS log: http://pastebin.centos.org/8286/ > > >Additional details: >IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 >Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 >Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl' (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, ) [Success] ^^^ It means PAM_SYSTEM_ERR /* System error */ (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sending result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback] (0x0100): Sent result [4][domain.nl] (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler] (0x0100): child [19510] finished successfully. > >Both CentOS and Fedora are fully up-to-date using only the base >repos. Config of the clients is done with ipa-client-install. > Could you attach log files with debug_level 9? LS ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Migration mode
Hello all, I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using migrate-ds I used some custom scripts to import all of our users (~250) and groups (~85) with IPA commands (ipa user-add etc.). To move passwords I configured the ipa-server to run in migration mode and did an ldapmodify like this: dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl changetype: modify replace: userPassword userPassword: {SHA}hash Logging in to a machine running CentOS and ipa-client for the first time works like a charm, a krbPrincipalKey is generated and Kerberos 'just' works. However, logging in to Fedora 20 for the first time throws a 'permission denied'. Logging in to Fedora works after logging in to CentOS or the IPA migration web ui. sssd_domain.nl.log, loglevel 6 Fedora log: http://pastebin.centos.org/8281/ CentOS log: http://pastebin.centos.org/8286/ Additional details: IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64 Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64 Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64 Both CentOS and Fedora are fully up-to-date using only the base repos. Config of the clients is done with ipa-client-install. What am I doing wrong? - Jitse ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users