[Freeipa-users] sssd client cache timer and merging IPA domains

Rob Crittenden rcritten at redhat.com
Thu Aug 16 21:39:39 UTC 2012 

Lucas Yamanishi wrote:
>
> On 08/16/2012 05:32 PM, Rob Crittenden wrote:
>> Lucas Yamanishi wrote:
>>> I just migrated my IPA instance from one to another a couple days ago to
>>> recover after a lost CA and failed yum upgrade.  The "ipa migrate-ds"
>>> tool works very well, though I am having a few very minor issues.  On
>>> the upside, as far as I can tell, you can skip the steps about Kerberos
>>> key generation as outlined in the documentation.  I've been able to
>>> kinit just fine with my migrated users.
>>>
>>>
>>> Below are the few errors I've noticed.
>>>
>>> * When I ssh into an enrolled host using a migrated user's credentials I
>>> get this error:
>>>
>>>     id: cannot find name for group ID 104600003\
>>
>> Does a group exist with that GID? You can try something like:
>>
>> $ ipa group-find --gid=104600003
>>
>
> The group doesn't exist.  The GID is the counterpart to my UID.

Try adding --private.

rob

>
>
>>>
>>> * I see this error in my dirsrv-EXAMPLE/errors log after changing a
>>> password:
>>>
>>>     [15/Aug/2012:12:38:24 -0400] ipapwd_setPasswordHistory - [file
>>> ipapwd_common.c, line 926]: failed to generate new password history!
>>
>> It is a red herring. The default is to have no password history, so we
>> don't generate any, then we complain that none was made! I actually have
>> a fix in my tree I plan to propose soon.
>>
>> rob
>>
>>>
>>>
>>> -----
>>> *question everything*learn something*answer nothing*
>>> ------------
>>> Lucas Yamanishi
>>> ------------------
>>> Systems Administrator, ADNET Systems, Inc.
>>> NASA Space and Earth Science Data Analysis (606.9)
>>> 7515 Mission Drive, Suite A100
>>> Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A
>>>
>>> On 08/16/2012 05:00 PM, Steven Jones wrote:
>>>> Hi,
>>>>
>>>> What is the default length of time the sssd daemon on a client caches
>>>> for once IPA is off line pls?
>>>>
>>>> Is there any practical way to take the user info from one ipa
>>>> instance/domain and import it into another?  I know the client
>>>> machines will have to have ipa un-installed and resetting users
>>>> passwords are not biggees I'd just not rather have to input all the
>>>> groups and hbac rules by hand.
>>>>
>>>> regards
>>>>
>>>> Steven Jones
>>>>
>>>> Technical Specialist - Linux RHCE
>>>>
>>>> Victoria University, Wellington, NZ
>>>>
>>>> 0064 4 463 6272
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>>
>

More information about the Freeipa-users mailing list