[Freeipa-devel] [PATCH] 947 fix synxtax in 30-s4u2proxy.update
Rob Crittenden
rcritten at redhat.com
Wed Feb 15 14:57:49 UTC 2012
Martin Kosek wrote:
> On Tue, 2012-02-14 at 15:51 -0500, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Mon, 2012-02-13 at 11:43 -0500, Rob Crittenden wrote:
>>>> Remove quotes around a value in 30-s4u2proxy.update. The update was
>>>> failing to apply.
>>>>
>>>> I also noticed that FQDN wasn't being set properly in all cases in
>>>> sub_dict. This should fix it.
>>>>
>>>> rob
>>>
>>> This patch did not apply for me. I guess it depends on some other patch
>>> that fixes wrong DN in s4u2proxy ipaAllowedTargets:
>>>
>>> -default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX'
>>> +default: ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
>>>
>>> Current update file says:
>>>
>>> default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX'
>>>
>>> which is a non-existent DN.
>>>
>>> Martin
>>>
>>
>> It relies on patch 941
>
> Yeah, that's the one.
>
> I am now testing all the upgrade patches, but I s4u2proxy does not work
> for me yet on upgraded server instance (tested on F16). krb5kdc keeps
> reporting decrypt errors:
>
> /var/log/krb5kdc.log:
> Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info):
> TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0,
> <unknown client> for<unknown server>, Decrypt integrity check failed
> Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info):
> TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0,
> <unknown client> for<unknown server>, Decrypt integrity check failed
>
> New installs on the same machine work though. I am still trying to find
> out the root cause of this.
>
> Martin
>
Turned out a stale Apache ccache was in /tmp. I've created a new ticket
and patch for that.
Martin also noticed that allowedTargets wasn't being set properly on new
installs. Updated patch attached.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-947-2-upgrade.patch
Type: application/mbox
Size: 7992 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120215/8cd8454f/attachment.mbox>
More information about the Freeipa-devel
mailing list