<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 16/11/2012 12:11 PM, Dmitri Pal wrote: </div> <blockquote cite="mid:50A673CC.1010206@redhat.com" type="cite"> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> On 11/16/2012 10:59 AM, Qing Chang wrote: <blockquote cite="mid:50A662D6.6050308@sri.utoronto.ca" type="cite"> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> just migrated all my user from OpenLDAP and MIT Kerberos to IPA. Out of more than 400 users, there are around 10 that have problem accessing Samba or Dovecot IMAP or ssh. They never have problem login to ipa/ipa/ui/login.html. For Dovecot IMAP following error is generated: ===== Nov 16 10:15:03 dovecot2 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=uesrid rhost=IP user=userid Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=userid rhost=IP user=useris Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth): received for user userid: 4 (System error) </blockquote> Hello Qing There are several things to do: 1) Compare entries of the users that login with no problems and users that have problems. There might be some attributes different (absent/present). That might give a hint of what might be wrong. We have seen some issues in this area related to Samba. 2) Can you please enable the higher debug_level in SSSD and provide the SSSD logs + sssd.conf that would help to see what is going on with the user that is failing. 3) Also if you can describe your environment of how all the parts work together and what are the workflows in which you see the problem/issue. I am personally not familiar with Dovecot in details so I assume that Dovecot is configured to use PAM for the authentication and the snippet above is from that authentication. Is this the correct assumption? Thanks Dmitri </blockquote> Dmitri, appreciate your prompt response. I having being on this thing for past day and a half, I think I now understand the issues and found fix/workaround for them. 1, Samba + IPA: when this attribute sambaPwdLastSet is set to 0, a samba mapping request will cause samba to CLEAR sambaLMPassword and sambaNTPassword attributes, yes, not set password to something, but the attributes are wiped out. This may only apply to my situation because I HAVE to use samba 3.0.23d, a ancient version!! Originally when I migrated users from OpenLDAP, sambaPwdLastSet has a none zero value for every account. As users migrated their password properly, the value was not touch. But, if someone's password has to be reset (too short, forgotten) by us admin user using the UI, sambaPwdLastSet is set to 0. This explains why the problem is not wide spread. Fix/workaround: change sambaPwdLastSet to a sensible value after a password reset by admin. Question: is this a designed behavior for IPA? Or does migrate-mode or not make difference? 2, Dovecot + IPA: it is not an IPA issue but sss cache timeout issue, I read it's 90 min? When a user changes his/her password, the cache usually is not updated, hence problem checking IMAP email with new password. Fix/workaround: \rm /var/lib/sss/db/cache_sri.utoronto.ca.ldb service sssd restart This is really heavy handed, but I can not find the sss_cache utility any where for RHEL 6.3! Question: is there a way to shorten the timeout period? Where can I find sss_cache? I have great confidence in IPA now, big part of it is because of this list!! Many thanks, Qing <blockquote cite="mid:50A673CC.1010206@redhat.com" type="cite"> <blockquote cite="mid:50A662D6.6050308@sri.utoronto.ca" type="cite"> ===== For Samba, it appears that a mapping request never gets to Samba server because nothing is logged for a problematic user ID although I have turned on excessive logging. What is really frustrating is that there is no pattern to be found, even my fellow Sysadmin's ID is also in trouble. Also, in his case, he has no problem with Dovecot. For another user ID Samba works but not Dovecot. It looks to me there might be some problem with sssd on the different servers? BTW, for at least one user, creating a brand new account for samba did not work either, while the trick worked for another user:-(. Please shed some light on this. I don't mind opening a case with RedHat support if necessary. Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-server.x86_64 2.2.0-16.el6 @rhel-x86_64-server-6 sssd.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 sssd-client.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 TIA, Qing <fieldset class="mimeAttachmentHeader"></fieldset> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> <fieldset class="mimeAttachmentHeader"></fieldset> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> </body> </html>