[Freeipa-users] sssd client cache timer and merging IPA domains
Lucas Yamanishi
lyamanishi at sesda2.com
Thu Aug 16 21:44:33 UTC 2012
On 08/16/2012 05:39 PM, Rob Crittenden wrote:
> Lucas Yamanishi wrote:
>>
>> On 08/16/2012 05:32 PM, Rob Crittenden wrote:
>>> Lucas Yamanishi wrote:
>>>> I just migrated my IPA instance from one to another a couple days
>>>> ago to
>>>> recover after a lost CA and failed yum upgrade. The "ipa migrate-ds"
>>>> tool works very well, though I am having a few very minor issues. On
>>>> the upside, as far as I can tell, you can skip the steps about Kerberos
>>>> key generation as outlined in the documentation. I've been able to
>>>> kinit just fine with my migrated users.
>>>>
>>>>
>>>> Below are the few errors I've noticed.
>>>>
>>>> * When I ssh into an enrolled host using a migrated user's
>>>> credentials I
>>>> get this error:
>>>>
>>>> id: cannot find name for group ID 104600003\
>>>
>>> Does a group exist with that GID? You can try something like:
>>>
>>> $ ipa group-find --gid=104600003
>>>
>>
>> The group doesn't exist. The GID is the counterpart to my UID.
>
> Try adding --private.
>
> rob
>
Nope. It doesn't exist.
Other groups migrated. Why would the private groups fail?
>>
>>
>>>>
>>>> * I see this error in my dirsrv-EXAMPLE/errors log after changing a
>>>> password:
>>>>
>>>> [15/Aug/2012:12:38:24 -0400] ipapwd_setPasswordHistory - [file
>>>> ipapwd_common.c, line 926]: failed to generate new password history!
>>>
>>> It is a red herring. The default is to have no password history, so we
>>> don't generate any, then we complain that none was made! I actually have
>>> a fix in my tree I plan to propose soon.
>>>
>>> rob
>>>
>>>>
>>>>
>>>> -----
>>>> *question everything*learn something*answer nothing*
>>>> ------------
>>>> Lucas Yamanishi
>>>> ------------------
>>>> Systems Administrator, ADNET Systems, Inc.
>>>> NASA Space and Earth Science Data Analysis (606.9)
>>>> 7515 Mission Drive, Suite A100
>>>> Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A
>>>>
>>>> On 08/16/2012 05:00 PM, Steven Jones wrote:
>>>>> Hi,
>>>>>
>>>>> What is the default length of time the sssd daemon on a client caches
>>>>> for once IPA is off line pls?
>>>>>
>>>>> Is there any practical way to take the user info from one ipa
>>>>> instance/domain and import it into another? I know the client
>>>>> machines will have to have ipa un-installed and resetting users
>>>>> passwords are not biggees I'd just not rather have to input all the
>>>>> groups and hbac rules by hand.
>>>>>
>>>>> regards
>>>>>
>>>>> Steven Jones
>>>>>
>>>>> Technical Specialist - Linux RHCE
>>>>>
>>>>> Victoria University, Wellington, NZ
>>>>>
>>>>> 0064 4 463 6272
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>
>>>
>>
>
>
--
-----
*question everything*learn something*answer nothing*
------------
Lucas Yamanishi
------------------
Systems Administrator, ADNET Systems, Inc.
7515 Mission Drive, Suite A100
Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120816/92ad73fd/attachment.sig>
More information about the Freeipa-users
mailing list