<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 16/11/2012 12:11 PM, Dmitri Pal
wrote:<br>
</div>
<blockquote cite="mid:50A673CC.1010206@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 11/16/2012 10:59 AM, Qing Chang wrote:
<blockquote cite="mid:50A662D6.6050308@sri.utoronto.ca"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
just migrated all my user from OpenLDAP and MIT Kerberos to IPA.<br>
<br>
Out of more than 400 users, there are around 10 that have
problem <br>
accessing Samba or Dovecot IMAP or ssh. <br>
<br>
They never have problem login to ipa/ipa/ui/login.html.<br>
<br>
For Dovecot IMAP following error is generated:<br>
=====<br>
Nov 16 10:15:03 dovecot2 auth: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot
ruser=uesrid rhost=IP user=userid<br>
Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot
ruser=userid rhost=IP user=useris<br>
Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth): received
for user userid: 4 (System error)<br>
</blockquote>
<br>
Hello Qing<br>
<br>
There are several things to do:<br>
1) Compare entries of the users that login with no problems and
users that have problems. There might be some attributes different
(absent/present). That might give a hint of what might be wrong.
We have seen some issues in this area related to Samba.<br>
2) Can you please enable the higher debug_level in SSSD and
provide the SSSD logs + sssd.conf that would help to see what is
going on with the user that is failing.<br>
3) Also if you can describe your environment of how all the parts
work together and what are the workflows in which you see the
problem/issue. I am personally not familiar with Dovecot in
details so I assume that Dovecot is configured to use PAM for the
authentication and the snippet above is from that authentication.
Is this the correct assumption?<br>
<br>
Thanks<br>
Dmitri<br>
<br>
</blockquote>
Dmitri,<br>
<br>
appreciate your prompt response. I having being on this thing for
past day and a half,<br>
I think I now understand the issues and found fix/workaround for
them.<br>
<br>
1, Samba + IPA: when this attribute sambaPwdLastSet is set to 0, a
samba mapping<br>
request will cause samba to CLEAR sambaLMPassword and
sambaNTPassword <br>
attributes, yes, not set password to something, but the
attributes are wiped out.<br>
This may only apply to my situation because I HAVE to use samba
3.0.23d, a<br>
ancient version!! Originally when I migrated users from
OpenLDAP, sambaPwdLastSet<br>
has a none zero value for every account. As users migrated their
password properly,<br>
the value was not touch. But, if someone's password has to be
reset (too short, forgotten)<br>
by us admin user using the UI, sambaPwdLastSet is set to 0. This
explains why the <br>
problem is not wide spread. <br>
Fix/workaround: change sambaPwdLastSet to a sensible value after
a password <br>
reset by admin.<br>
Question: is this a designed behavior for IPA? Or does
migrate-mode or not make difference?<br>
<br>
2, Dovecot + IPA: it is not an IPA issue but sss cache timeout
issue, I read it's 90 min?<br>
When a user changes his/her password, the cache usually is not
updated, hence<br>
problem checking IMAP email with new password.<br>
Fix/workaround: <br>
\rm /var/lib/sss/db/cache_sri.utoronto.ca.ldb<br>
service sssd restart<br>
This is really heavy handed, but I can not find the sss_cache
utility any where for<br>
RHEL 6.3!<br>
Question: is there a way to shorten the timeout period? Where
can I find <br>
sss_cache?<br>
<br>
I have great confidence in IPA now, big part of it is because of
this list!!<br>
<br>
Many thanks,<br>
<br>
Qing<br>
<blockquote cite="mid:50A673CC.1010206@redhat.com" type="cite">
<blockquote cite="mid:50A662D6.6050308@sri.utoronto.ca"
type="cite"> =====<br>
<br>
For Samba, it appears that a mapping request never gets to Samba
server because<br>
nothing is logged for a problematic user ID although I have
turned on excessive logging.<br>
<br>
What is really frustrating is that there is no pattern to be
found, even my fellow<br>
Sysadmin's ID is also in trouble. <br>
<br>
Also, in his case, he has no problem with Dovecot. For another
user ID Samba works<br>
but not Dovecot. It looks to me there might be some problem with
sssd on the <br>
different servers?<br>
<br>
BTW, for at least one user, creating a brand new account for
samba did not work either,<br>
while the trick worked for another user:-(.<br>
<br>
Please shed some light on this. I don't mind opening a case with
RedHat support <br>
if necessary.<br>
<br>
<font color="#cc0000">Red Hat Enterprise Linux Server release
6.3 (Santiago)</font><br>
<font color="#cc0000">ipa-server.x86_64
2.2.0-16.el6 @rhel-x86_64-server-6<br>
sssd.x86_64 1.8.0-32.el6
@rhel-x86_64-server-6<br>
sssd-client.x86_64 1.8.0-32.el6
@rhel-x86_64-server-6<br>
</font> <br>
TIA,<br>
Qing<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</body>
</html>