[Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
Alexander Bokovoy
abokovoy at redhat.com
Mon Jun 4 12:32:36 UTC 2012
On Mon, 04 Jun 2012, Martin Kosek wrote:
>I did another round of testing and this is what I found so far:
>
>1) freeipa.spec.in was missing python-crypto BuildRequires (you fixed
>that)
>
>2) Unit tests need to be updated, currently there is about a dozen test
>case errors, e.g. extra ipakrbprincipalalias attribute in services or
>new ipakrbprincipal objectclass for hosts
Ok, will fix.
>3) Replication did not work too well for me this time.
>ipa-replica-install reported just one issue during installation process:
>
>2012-06-04T09:42:51Z DEBUG [24/30]: enabling S4U2Proxy delegation
>2012-06-04T09:42:51Z DEBUG args=/usr/bin/ldapmodify -h
>vm-057.idm.lab.bos.redhat.com -v -f /tmp/ tmpifHccf -x -D
>cn=Directory Manager -y /tmp/tmppqaAdV
>2012-06-04T09:42:51Z DEBUG stdout=
>2012-06-04T09:42:51Z DEBUG
>stderr=ldap_initialize( ldap://vm-057.idm.lab.bos.redhat.com )
>ldapmodify: wrong attributeType at line 5, entry
>"cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm,
>dc=lab,dc=bos,dc=redhat,dc=com"
>
>2012-06-04T09:42:51Z CRITICAL Failed to load replica-s4u2proxy.ldif:
>Command '/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v
>-f /tmp/tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV'
>returned non-zero exit status 247
Found and fixed. The issue was in not following RFC2849 when specifying
multiple changetype operations, you need to split their definitions by a
single line with '-' on it.
I squashed the fix back to the original patch.
>But this may be just a symptom of some bigger issue. After the
>installation finished, DS did not start, it kept reporting Kerberos
>issues:
>
>[04/Jun/2012:05:46:00 -0400] set_krb5_creds - Could not get initial
>credentials for principal
>[ldap/vm-057.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM] in keytab
>[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
>[04/Jun/2012:05:46:00 -0400] - slapd started. Listening on All
>Interfaces port 389 for LDAP requests
>[04/Jun/2012:05:46:00 -0400] - Listening on All Interfaces port 636 for
>LDAPS requests
>[04/Jun/2012:05:46:00 -0400] - Listening
>on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests
>[04/Jun/2012:05:46:00 -0400] slapd_ldap_sasl_interactive_bind - Error:
>could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
>-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
>GSS failure. Minor code may provide more information (Credentials cache
>file '/tmp/krb5cc_498' not found)) errno 0 (Success)
>[04/Jun/2012:05:46:00 -0400] slapi_ldap_bind - Error: could not perform
>interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
>[04/Jun/2012:05:46:00 -0400] NSMMReplicationPlugin -
>agmt="cn=meTovm-125.idm.lab.bos.redhat.com" (vm-125:389): Replication
>bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1):
>generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may
>provide more information (Credentials cache file '/tmp/krb5cc_498' not
>found))
>
>When I run "ipactl restart", dirsrv started and I was able to kinit.
Maybe it is timing issue?
>4) Patch "Add separate attribute to store trusted domain SID" still has
>a wrong service part of the principal to be removed (s/ldap/cifs):
>
>+ dn3 = DN(u'cn=ipa-cifs-delegation-targets',
>api.env.container_s4u2proxy, self.suffix)
>+ member_principal3 = "ldap/%(fqdn)s@%(realm)s" %
>dict(fqdn=replica, realm=realm)
>+
>
>This leaves CIFS entry in the S4U2Proxy configuration even after replica
>uninstallation.
Fixed and squashed back to the original patch.
>Btw. these are the packages I use:
>389-ds-base-1.2.10.4-2.fc17.x86_64
>krb5-server-1.10-5.fc17.x86_64
>samba4-4.0.0-123alpha21.fc17.x86_64
Same here. For me anything newer 1.2.10.4-2 will blow 389-ds.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list