subject:"\[Freeipa\-users\] Upgrade from FreeIPA 1.2 to 2.1 \- getting tickets from upgraded server"

Re: [Freeipa-users] Upgrade from FreeIPA 1.2 to 2.1 - getting tickets from upgraded server

2011-09-22 Thread Rob Crittenden


Dan Scott wrote:

Hi,

On Wed, Sep 21, 2011 at 16:28, Rob Crittenden  wrote:

Dan Scott wrote:


Hi,

I have a FreeIPA 1.2 realm running.

I've installed a new server running 2.1 and migrated the user accounts
across. I've installed a client and am trying to authenticate against
the new server. I get the following errors:

djscott@pc35:~$ kinit
Password for djsc...@example.com:
kinit: Preauthentication failed while getting initial credentials
djscott@pc35:~$

The server krb5kdc log contains the following:

Sep 21 16:02:00 fileserver1.example.com krb5kdc[17795](info): AS_REQ
(4 etypes {18 17 16 23}) 192.168.1.35: NEEDED_PREAUTH:
djsc...@example.com for krbtgt/example@example.com, Additional
pre-authentication required
Sep 21 16:02:03 fileserver1.example.com krb5kdc[17795](info): preauth
(timestamp) verify failure: No matching key in entry
Sep 21 16:02:03 fileserver1.example.com krb5kdc[17795](info): AS_REQ
(4 etypes {18 17 16 23}) 192.168.1.35: PREAUTH_FAILED:
djsc...@example.com for krbtgtexample@example.com,
Preauthentication failed

I've been to the page:

https://fileserver1.example.com/ipa/migration/

And tried to migrate my password, but I receive:

"There was a problem with your request. Please, try again later. If
the problem persists, contact your administrator."

The same error occurs when I try to authenticate as myself on the
server, although 'id djscott' returns the correct list of groups, so
it appears that LDAP is working, but Kerberos is not. I guess it's
something to do with the password migration?

Anyone know how I can figure out what's going wrong?

Thanks,

Dan Scott


It looks like the Apache error log is probably not going to have a ton of
information for you, but wouldn't hurt to check.

I'd start with the 389-ds access log when doing a migration. You should see
the following sequence:

- anonymous bind to search for the naming contexts. It looks like we use the
first one there which is bad (ticket
https://fedorahosted.org/freeipa/ticket/1834)
- it attempts a bind with dn uid=,cn=users,cn=accounts,

For some reason we convert the LDAP errors into IOErrors, not entirely sure
why but we should have beefed up logging in any case (ticket
https://fedorahosted.org/freeipa/ticket/1835)

See what either or both of them is returning and that may provide the clues
we need to figure it out.

If you still have migration mode enabled you can generate your credentials
with sssd by logging into the client normally. If migration mode is on then
sssd will initiate a kerberos password change for you.


Well, I'm not entirely sure what the problem was, but SSHing to
another server appears to have migrated the password successfully.
It's working fine now.

So I need to leave migration mode enabled until all users have
migrated their passwords, correct? Is this all that migration mode
does? Re-generate the Kerberos hashes?

Thanks,

Dan


Yes, migration mode enables you to authenticate with a stored LDAP 
password to generate missing Kerberos principal keys.


I assume that the other server has sssd configured so it performed the 
password migration.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Upgrade from FreeIPA 1.2 to 2.1 - getting tickets from upgraded server

2011-09-22 Thread Dan Scott

Hi,

On Wed, Sep 21, 2011 at 16:28, Rob Crittenden  wrote:
> Dan Scott wrote:
>>
>> Hi,
>>
>> I have a FreeIPA 1.2 realm running.
>>
>> I've installed a new server running 2.1 and migrated the user accounts
>> across. I've installed a client and am trying to authenticate against
>> the new server. I get the following errors:
>>
>> djscott@pc35:~$ kinit
>> Password for djsc...@example.com:
>> kinit: Preauthentication failed while getting initial credentials
>> djscott@pc35:~$
>>
>> The server krb5kdc log contains the following:
>>
>> Sep 21 16:02:00 fileserver1.example.com krb5kdc[17795](info): AS_REQ
>> (4 etypes {18 17 16 23}) 192.168.1.35: NEEDED_PREAUTH:
>> djsc...@example.com for krbtgt/example@example.com, Additional
>> pre-authentication required
>> Sep 21 16:02:03 fileserver1.example.com krb5kdc[17795](info): preauth
>> (timestamp) verify failure: No matching key in entry
>> Sep 21 16:02:03 fileserver1.example.com krb5kdc[17795](info): AS_REQ
>> (4 etypes {18 17 16 23}) 192.168.1.35: PREAUTH_FAILED:
>> djsc...@example.com for krbtgtexample@example.com,
>> Preauthentication failed
>>
>> I've been to the page:
>>
>> https://fileserver1.example.com/ipa/migration/
>>
>> And tried to migrate my password, but I receive:
>>
>> "There was a problem with your request. Please, try again later. If
>> the problem persists, contact your administrator."
>>
>> The same error occurs when I try to authenticate as myself on the
>> server, although 'id djscott' returns the correct list of groups, so
>> it appears that LDAP is working, but Kerberos is not. I guess it's
>> something to do with the password migration?
>>
>> Anyone know how I can figure out what's going wrong?
>>
>> Thanks,
>>
>> Dan Scott
>
> It looks like the Apache error log is probably not going to have a ton of
> information for you, but wouldn't hurt to check.
>
> I'd start with the 389-ds access log when doing a migration. You should see
> the following sequence:
>
> - anonymous bind to search for the naming contexts. It looks like we use the
> first one there which is bad (ticket
> https://fedorahosted.org/freeipa/ticket/1834)
> - it attempts a bind with dn uid=,cn=users,cn=accounts, context>
>
> For some reason we convert the LDAP errors into IOErrors, not entirely sure
> why but we should have beefed up logging in any case (ticket
> https://fedorahosted.org/freeipa/ticket/1835)
>
> See what either or both of them is returning and that may provide the clues
> we need to figure it out.
>
> If you still have migration mode enabled you can generate your credentials
> with sssd by logging into the client normally. If migration mode is on then
> sssd will initiate a kerberos password change for you.

Well, I'm not entirely sure what the problem was, but SSHing to
another server appears to have migrated the password successfully.
It's working fine now.

So I need to leave migration mode enabled until all users have
migrated their passwords, correct? Is this all that migration mode
does? Re-generate the Kerberos hashes?

Thanks,

Dan

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Upgrade from FreeIPA 1.2 to 2.1 - getting tickets from upgraded server

2011-09-21 Thread Rob Crittenden


Dan Scott wrote:

Hi,

I have a FreeIPA 1.2 realm running.

I've installed a new server running 2.1 and migrated the user accounts
across. I've installed a client and am trying to authenticate against
the new server. I get the following errors:

djscott@pc35:~$ kinit
Password for djsc...@example.com:
kinit: Preauthentication failed while getting initial credentials
djscott@pc35:~$

The server krb5kdc log contains the following:

Sep 21 16:02:00 fileserver1.example.com krb5kdc[17795](info): AS_REQ
(4 etypes {18 17 16 23}) 192.168.1.35: NEEDED_PREAUTH:
djsc...@example.com for krbtgt/example@example.com, Additional
pre-authentication required
Sep 21 16:02:03 fileserver1.example.com krb5kdc[17795](info): preauth
(timestamp) verify failure: No matching key in entry
Sep 21 16:02:03 fileserver1.example.com krb5kdc[17795](info): AS_REQ
(4 etypes {18 17 16 23}) 192.168.1.35: PREAUTH_FAILED:
djsc...@example.com for krbtgtexample@example.com,
Preauthentication failed

I've been to the page:

https://fileserver1.example.com/ipa/migration/

And tried to migrate my password, but I receive:

"There was a problem with your request. Please, try again later. If
the problem persists, contact your administrator."

The same error occurs when I try to authenticate as myself on the
server, although 'id djscott' returns the correct list of groups, so
it appears that LDAP is working, but Kerberos is not. I guess it's
something to do with the password migration?

Anyone know how I can figure out what's going wrong?

Thanks,

Dan Scott


It looks like the Apache error log is probably not going to have a ton 
of information for you, but wouldn't hurt to check.


I'd start with the 389-ds access log when doing a migration. You should 
see the following sequence:


- anonymous bind to search for the naming contexts. It looks like we use 
the first one there which is bad (ticket 
https://fedorahosted.org/freeipa/ticket/1834)
- it attempts a bind with dn uid=,cn=users,cn=accounts,context>


For some reason we convert the LDAP errors into IOErrors, not entirely 
sure why but we should have beefed up logging in any case (ticket 
https://fedorahosted.org/freeipa/ticket/1835)


See what either or both of them is returning and that may provide the 
clues we need to figure it out.


If you still have migration mode enabled you can generate your 
credentials with sssd by logging into the client normally. If migration 
mode is on then sssd will initiate a kerberos password change for you.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Upgrade from FreeIPA 1.2 to 2.1 - getting tickets from upgraded server

2011-09-21 Thread Dan Scott

Hi,

I have a FreeIPA 1.2 realm running.

I've installed a new server running 2.1 and migrated the user accounts
across. I've installed a client and am trying to authenticate against
the new server. I get the following errors:

djscott@pc35:~$ kinit
Password for djsc...@example.com:
kinit: Preauthentication failed while getting initial credentials
djscott@pc35:~$

The server krb5kdc log contains the following:

Sep 21 16:02:00 fileserver1.example.com krb5kdc[17795](info): AS_REQ
(4 etypes {18 17 16 23}) 192.168.1.35: NEEDED_PREAUTH:
djsc...@example.com for krbtgt/example@example.com, Additional
pre-authentication required
Sep 21 16:02:03 fileserver1.example.com krb5kdc[17795](info): preauth
(timestamp) verify failure: No matching key in entry
Sep 21 16:02:03 fileserver1.example.com krb5kdc[17795](info): AS_REQ
(4 etypes {18 17 16 23}) 192.168.1.35: PREAUTH_FAILED:
djsc...@example.com for krbtgtexample@example.com,
Preauthentication failed

I've been to the page:

https://fileserver1.example.com/ipa/migration/

And tried to migrate my password, but I receive:

"There was a problem with your request. Please, try again later. If
the problem persists, contact your administrator."

The same error occurs when I try to authenticate as myself on the
server, although 'id djscott' returns the correct list of groups, so
it appears that LDAP is working, but Kerberos is not. I guess it's
something to do with the password migration?

Anyone know how I can figure out what's going wrong?

Thanks,

Dan Scott

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Upgrade from FreeIPA 1.2 to 2.1 - getting tickets from upgraded server

Re: [Freeipa-users] Upgrade from FreeIPA 1.2 to 2.1 - getting tickets from upgraded server

Re: [Freeipa-users] Upgrade from FreeIPA 1.2 to 2.1 - getting tickets from upgraded server

[Freeipa-users] Upgrade from FreeIPA 1.2 to 2.1 - getting tickets from upgraded server

4 matches

Site Navigation

Mail list logo

Footer information