<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 10/15/2014 04:43 PM, Clint Savage
wrote:<br>
</div>
<blockquote
cite="mid:CAO3ufT=KPw0m-iEgxd6j4LGiPbsxmyLPXTiCzUdzqA6Cc8vtJQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Wed, Oct 15, 2014 at 2:33 PM, Rich
Megginson <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex"><span class="">On
10/15/2014 02:05 PM, Rob Crittenden wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
Clint Savage wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
$ rpm -q ipa-server<br>
ipa-server-3.3.3-28.el7.centos.1.x86_64<br>
<br>
I was thinking that this might be an issue with the
rhel7 version. I'm<br>
going to be trying the same migration tonight on
rhel6. I know the IPA<br>
version is older, and samba stuff might not work as
it does in 3.3. I<br>
haven't looked in RHEL 6.6 yet to see what version
of IPA is available.<br>
</blockquote>
I tested using a fairly recent IPA master build
(4.1+). I'm not<br>
convinced it is related to any specific version, but
different features<br>
are available so I thought I'd try to duplicate on a
more similar<br>
footing (apples to apples comparision).<br>
<br>
The trick is to try to narrow down what attribute the
LDAP server thinks<br>
already exists. We don't get a very nice error out of
LDAP, like *what*<br>
attribute already exists, for example :-(<br>
<br>
It may be possible to set the 389-ds debug level to
such that you get<br>
some decent output, but trying to find the right
balance of output can<br>
be challenging. See their FAQ troubleshooting section.<br>
</blockquote>
<br>
</span><a moz-do-not-send="true"
href="http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting"
target="_blank">http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting</a><br>
<br>
Try the ARGS (Heavy trace output debugging) level
<div class="">
<div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<br>
rob<br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
Clint<br>
<br>
On Wed, Oct 15, 2014 at 1:16 PM, Rob Crittenden
<<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a><br>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>>>
wrote:<br>
<br>
Ludwig Krispenz wrote:<br>
><br>
> On 10/14/2014 06:58 PM, Clint Savage
wrote:<br>
>> Hi all,<br>
>><br>
>> I've been working on a migration
plan using three custom user<br>
>> objectClasses and one group
objectclass. In my attempt, I've setup an<br>
>> openldap server with the proper
schemas, imported the ldif and have<br>
>> records that look something like
this in ldif format.<br>
>><br>
>><br>
-----------------------------------------------------------------------<br>
>><br>
>> dn: dc=example,dc=com<br>
>> objectClass: top<br>
>> objectClass: domain<br>
>> dc: example<br>
>><br>
>> dn: ou=Groups,dc=example,dc=com<br>
>> objectClass: top<br>
>> objectClass: organizationalunit<br>
>> ou: Groups<br>
>><br>
>> dn: ou=People,dc=example,dc=com<br>
>> objectClass: top<br>
>> objectClass: organizationalunit<br>
>> ou: People<br>
>><br>
>> dn: uid=amyengh,ou=People,dc=example,dc=com<br>
>> objectClass: inetOrgPerson<br>
>> objectClass: posixAccount<br>
>> objectClass: top<br>
>> objectClass: organizationalPerson<br>
>> objectClass: person<br>
>> objectClass: radiusProfile<br>
>> objectClass: sambaSamAccount<br>
>> objectClass: customPersonAttributes<br>
>> cn: Amy Engh<br>
>> gidNumber: 1141801056<br>
>> homeDirectory: /home/amyengh<br>
>> sn: Engh<br>
>> uid: amyengh<br>
>> uidNumber: 1141801056<br>
>> displayName: Amy Engh<br>
>> givenName: Amy<br>
>> loginShell: /sbin/nologin<br>
>> mail: <a moz-do-not-send="true"
href="mailto:amyengh@attask.com" target="_blank">amyengh@attask.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:amyengh@attask.com" target="_blank">amyengh@attask.com</a>><br>
<mailto:<a moz-do-not-send="true"
href="mailto:amyengh@attask.com" target="_blank">amyengh@attask.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:amyengh@attask.com" target="_blank">amyengh@attask.com</a>>><br>
>> userPassword:: REDACTED<br>
>> dialupAccess: yes<br>
>> radiusTunnelMediumType: IEEE-802<br>
>> radiusTunnelPrivateGroupId: 1421<br>
>> radiusTunnelType: VLAN<br>
>> emailPassword:: REDACTED<br>
>> sambaAcctFlags: [U ]<br>
>> sambaLMPassword: REDACTED<br>
>> sambaNTPassword: REDACTED<br>
>> sambaPasswordHistory:<br>
>> 000000000000000000000000000000000000000000000000000000<br>
>> 0000000000<br>
>> sambaPwdLastSet: 1402698001<br>
>> sambaSID: S-1-5-21-2332447373-4108748234-3602490535-3146<br>
>><br>
>> dn: cn=amyengh,ou=Groups,dc=example,dc=com<br>
>> objectClass: top<br>
>> objectClass: posixGroup<br>
>> cn: amyengh<br>
>> gidNumber: 1141801056<br>
>> memberUid: amyengh<br>
>><br>
>> --------------------------------------------------------------------<br>
>><br>
>> I then run the migration (with or
without compat makes no difference)<br>
>> and get the following:<br>
>><br>
>> ipa migrate-ds --with-compat
--user-container="ou=People"<br>
>> --group-container="ou=Groups"
--user-objectclass=posixAccount<br>
>> --group-objectclass=posixgroup
<a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a moz-do-not-send="true"
href="http://192.168.122.210" target="_blank">192.168.122.210</a><br>
<<a moz-do-not-send="true"
href="http://192.168.122.210" target="_blank">http://192.168.122.210</a>><br>
>> <<a moz-do-not-send="true"
href="http://192.168.122.210" target="_blank">http://192.168.122.210</a>>
--bind-dn="cn=Manager,dc=example,dc=com"<br>
>> Password:<br>
>> -----------<br>
>> migrate-ds:<br>
>> -----------<br>
>> Migrated:<br>
>> Failed user:<br>
>> amyengh: Type or value exists:<br>
>> Failed group:<br>
>> amyengh: This entry already
exists.<br>
> "type or value exists" and "This entry
already exists" are just<br>
> explanations of the ldap return code, do
you see anything in the 389 ds<br>
> error logs ?<br>
<br>
I doubt that he would see any errors.<br>
<br>
The entry already existing is because this
isn't his first migration, it<br>
is unrelated.<br>
<br>
I'm not able to reproduce this. What version
of IPA is it?<br>
<br>
rob<br>
<br>
--<br>
Manage your subscription for the
Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a moz-do-not-send="true"
href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
<br>
<br>
</blockquote>
</blockquote>
<br>
-- <br>
Manage your subscription for the Freeipa-users mailing
list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a moz-do-not-send="true"
href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
</div>
</div>
</blockquote>
</div>
<br>
This is what I get in the logs when running the migration:<br>
<br>
==> access <==<br>
[15/Oct/2014:18:35:46 -0400] conn=8 op=166 SRCH
base="idnsName=_tcp,idnsname=<a moz-do-not-send="true"
href="http://example.com">example.com</a>,cn=dns,dc=example,dc=com"
scope=0 filter="(objectClass=idnsRecord)" attrs=ALL<br>
[15/Oct/2014:18:35:46 -0400] conn=8 op=166 RESULT err=32
tag=101 nentries=0 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=606 fd=79 slot=79 connection
from 192.168.122.200 to 192.168.122.200<br>
[15/Oct/2014:18:35:48 -0400] conn=4 op=960 SRCH
base="dc=example,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/<a
moz-do-not-send="true" href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>))"
attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth
krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags
krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"<br>
[15/Oct/2014:18:35:48 -0400] conn=4 op=960 RESULT err=0
tag=101 nentries=1 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=4 op=961 SRCH
base="dc=example,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/<a
moz-do-not-send="true"
href="mailto:ipa7.example.com@EXAMPLE.COM">ipa7.example.com@EXAMPLE.COM</a>)(krbPrincipalName=ldap/<a
moz-do-not-send="true"
href="mailto:ipa7.example.com@EXAMPLE.COM">ipa7.example.com@EXAMPLE.COM</a>)))"
attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth
krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags
krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"<br>
[15/Oct/2014:18:35:48 -0400] conn=4 op=961 RESULT err=0
tag=101 nentries=1 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=4 op=962 SRCH base="cn=<a
moz-do-not-send="true" href="http://EXAMPLE.COM">EXAMPLE.COM</a>,cn=kerberos,dc=example,dc=com"
scope=0 filter="(objectClass=krbticketpolicyaux)"
attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"<br>
[15/Oct/2014:18:35:48 -0400] conn=4 op=962 RESULT err=0
tag=101 nentries=1 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=4 op=963 SRCH
base="dc=example,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=HTTP/<a
moz-do-not-send="true"
href="mailto:ipa7.example.com@EXAMPLE.COM">ipa7.example.com@EXAMPLE.COM</a>))"
attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth
krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags
krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"<br>
[15/Oct/2014:18:35:48 -0400] conn=4 op=963 RESULT err=0
tag=101 nentries=1 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=4 op=964 SRCH base="cn=<a
moz-do-not-send="true" href="http://EXAMPLE.COM">EXAMPLE.COM</a>,cn=kerberos,dc=example,dc=com"
scope=0 filter="(objectClass=krbticketpolicyaux)"
attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"<br>
[15/Oct/2014:18:35:48 -0400] conn=4 op=964 RESULT err=0
tag=101 nentries=1 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=4 op=965 SRCH
base="dc=example,dc=com" scope=2
filter="(&(objectClass=ipaKrb5DelegationACL)(memberPrincipal=HTTP/<a
moz-do-not-send="true"
href="mailto:ipa7.example.com@EXAMPLE.COM">ipa7.example.com@EXAMPLE.COM</a>))"
attrs="objectClass memberPrincipal"<br>
[15/Oct/2014:18:35:48 -0400] conn=4 op=965 RESULT err=0
tag=101 nentries=1 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=4 op=966 SRCH
base="dc=example,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=<a
moz-do-not-send="true" href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a>))"
attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth
krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags
krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"<br>
[15/Oct/2014:18:35:48 -0400] conn=4 op=966 RESULT err=0
tag=101 nentries=1 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=4 op=967 SRCH base="cn=<a
moz-do-not-send="true" href="http://EXAMPLE.COM">EXAMPLE.COM</a>,cn=kerberos,dc=example,dc=com"
scope=0 filter="(objectClass=krbticketpolicyaux)"
attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"<br>
[15/Oct/2014:18:35:48 -0400] conn=4 op=967 RESULT err=0
tag=101 nentries=1 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=0 BIND dn=""
method=sasl version=3 mech=GSSAPI<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=0 RESULT err=14
tag=97 nentries=0 etime=0, SASL bind in progress<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=1 BIND dn=""
method=sasl version=3 mech=GSSAPI<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=1 RESULT err=14
tag=97 nentries=0 etime=0, SASL bind in progress<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=2 BIND dn=""
method=sasl version=3 mech=GSSAPI<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=2 RESULT err=0 tag=97
nentries=0 etime=0
dn="uid=admin,cn=users,cn=accounts,dc=example,dc=com"<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=3 SRCH
base="cn=ipaconfig,cn=etc,dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=3 RESULT err=0
tag=101 nentries=1 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=4 SRCH
base="cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com"
scope=0 filter="(objectClass=*)" attrs="gidNumber cn"<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=4 RESULT err=0
tag=101 nentries=1 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=5 SRCH base="cn=UPG
Definition,cn=Definitions,cn=Managed
Entries,cn=etc,dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs="* aci"<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=5 RESULT err=0
tag=101 nentries=1 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=6 SRCH
base="cn=ipaconfig,cn=etc,dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=6 RESULT err=0
tag=101 nentries=1 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=7 SRCH
base="cn=users,cn=accounts,dc=example,dc=com" scope=2
filter="(&(objectClass=krbprincipalaux)(krbPrincipalName=<a
moz-do-not-send="true" href="mailto:amyengh@EXAMPLE.COM">amyengh@EXAMPLE.COM</a>))"
attrs=""<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=7 RESULT err=0
tag=101 nentries=1 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=8 ADD
dn="uid=amyengh,cn=users,cn=accounts,dc=example,dc=com", add
values for type objectClass failed<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=8 RESULT err=20
tag=105 nentries=0 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=9 SRCH
base="cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com"
scope=0 filter="(objectClass=*)" attrs="gidNumber cn"<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=9 RESULT err=0
tag=101 nentries=1 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=10 SRCH base="cn=UPG
Definition,cn=Definitions,cn=Managed
Entries,cn=etc,dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs="* aci"<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=10 RESULT err=0
tag=101 nentries=1 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=11 ADD
dn="cn=amyengh,cn=groups,cn=accounts,dc=example,dc=com"<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=11 RESULT err=68
tag=105 nentries=0 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=12 SRCH
base="cn=users,cn=accounts,dc=example,dc=com" scope=2
filter="(&(objectClass=posixAccount)(!(memberOf=cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com)))"
attrs=""<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=12 RESULT err=0
tag=101 nentries=0 etime=0<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=13 UNBIND<br>
[15/Oct/2014:18:35:48 -0400] conn=606 op=13 fd=79 closed - U1<br>
<br>
</div>
<div class="gmail_extra">It kind of looks like there's some sort
of failure with my gidNumber or cn, but both the user and
group objects have these values. Any idea what is going on
there?<br>
</div>
</div>
</blockquote>
<br>
Did you enable the ARGS level error logging in the errors log? If
so, what's in the errors log?<br>
<br>
</body>
</html>