[Freeipa-users] sssd client cache timer and merging IPA domains

Lucas Yamanishi lyamanishi at sesda2.com
Mon Aug 20 16:09:03 UTC 2012 

On 08/20/2012 08:44 AM, Rob Crittenden wrote:
> Lucas Yamanishi wrote:
>>
>> On 08/17/2012 08:38 AM, Rob Crittenden wrote:
>>> Lucas Yamanishi wrote:
>>>>
>>>> On 08/16/2012 05:39 PM, Rob Crittenden wrote:
>>>>> Lucas Yamanishi wrote:
>>>>>>
>>>>>> On 08/16/2012 05:32 PM, Rob Crittenden wrote:
>>>>>>> Lucas Yamanishi wrote:
>>>>>>>> I just migrated my IPA instance from one to another a couple days
>>>>>>>> ago to
>>>>>>>> recover after a lost CA and failed yum upgrade.  The "ipa
>>>>>>>> migrate-ds"
>>>>>>>> tool works very well, though I am having a few very minor
>>>>>>>> issues.  On
>>>>>>>> the upside, as far as I can tell, you can skip the steps about
>>>>>>>> Kerberos
>>>>>>>> key generation as outlined in the documentation.  I've been able to
>>>>>>>> kinit just fine with my migrated users.
>>>>>>>>
>>>>>>>>
>>>>>>>> Below are the few errors I've noticed.
>>>>>>>>
>>>>>>>> * When I ssh into an enrolled host using a migrated user's
>>>>>>>> credentials I
>>>>>>>> get this error:
>>>>>>>>
>>>>>>>>       id: cannot find name for group ID 104600003\
>>>>>>>
>>>>>>> Does a group exist with that GID? You can try something like:
>>>>>>>
>>>>>>> $ ipa group-find --gid=104600003
>>>>>>>
>>>>>>
>>>>>> The group doesn't exist.  The GID is the counterpart to my UID.
>>>>>
>>>>> Try adding --private.
>>>>>
>>>>> rob
>>>>>
>>>>
>>>> Nope. It doesn't exist.
>>>>
>>>> Other groups migrated.  Why would the private groups fail?
>>>
>>> I don't know, what have you done to date, including versions?
>>>
>>> rob
>> I've been following the stable Scientific Linux releases since 6.1.
>> Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64.  The
>> version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just
>> upgraded from 2.1.3-9.el6.x86_64.  I migrated to and use now
>> 2.2.0-16.el6.x86_64.
>>
>> So...
>> 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 -> 2.2.0-16.el6.x86_64 ---->
>> 2.2.0-16.el6.x86_64
>>
>>
> 
> Can you verify that managed entries are configured:
> 
> # ipa-managed-entries -l
> 
> It should return:
> 
> UPG Definition
> NGP Definition
> 
> This enables user-private groups and netgroup-private groups.
> 
> rob
Yes.  That returned as expected.

-- 
-----
*question everything*learn something*answer nothing*
------------
Lucas Yamanishi
------------------
Systems Administrator, ADNET Systems, Inc.
7515 Mission Drive, Suite A100
Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A

More information about the Freeipa-users mailing list