[Freeipa-users] sssd client cache timer and merging IPA domains
Lucas Yamanishi
lyamanishi at sesda2.com
Mon Aug 20 16:09:03 UTC 2012
On 08/20/2012 08:44 AM, Rob Crittenden wrote:
> Lucas Yamanishi wrote:
>>
>> On 08/17/2012 08:38 AM, Rob Crittenden wrote:
>>> Lucas Yamanishi wrote:
>>>>
>>>> On 08/16/2012 05:39 PM, Rob Crittenden wrote:
>>>>> Lucas Yamanishi wrote:
>>>>>>
>>>>>> On 08/16/2012 05:32 PM, Rob Crittenden wrote:
>>>>>>> Lucas Yamanishi wrote:
>>>>>>>> I just migrated my IPA instance from one to another a couple days
>>>>>>>> ago to
>>>>>>>> recover after a lost CA and failed yum upgrade. The "ipa
>>>>>>>> migrate-ds"
>>>>>>>> tool works very well, though I am having a few very minor
>>>>>>>> issues. On
>>>>>>>> the upside, as far as I can tell, you can skip the steps about
>>>>>>>> Kerberos
>>>>>>>> key generation as outlined in the documentation. I've been able to
>>>>>>>> kinit just fine with my migrated users.
>>>>>>>>
>>>>>>>>
>>>>>>>> Below are the few errors I've noticed.
>>>>>>>>
>>>>>>>> * When I ssh into an enrolled host using a migrated user's
>>>>>>>> credentials I
>>>>>>>> get this error:
>>>>>>>>
>>>>>>>> id: cannot find name for group ID 104600003\
>>>>>>>
>>>>>>> Does a group exist with that GID? You can try something like:
>>>>>>>
>>>>>>> $ ipa group-find --gid=104600003
>>>>>>>
>>>>>>
>>>>>> The group doesn't exist. The GID is the counterpart to my UID.
>>>>>
>>>>> Try adding --private.
>>>>>
>>>>> rob
>>>>>
>>>>
>>>> Nope. It doesn't exist.
>>>>
>>>> Other groups migrated. Why would the private groups fail?
>>>
>>> I don't know, what have you done to date, including versions?
>>>
>>> rob
>> I've been following the stable Scientific Linux releases since 6.1.
>> Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64. The
>> version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just
>> upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now
>> 2.2.0-16.el6.x86_64.
>>
>> So...
>> 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 -> 2.2.0-16.el6.x86_64 ---->
>> 2.2.0-16.el6.x86_64
>>
>>
>
> Can you verify that managed entries are configured:
>
> # ipa-managed-entries -l
>
> It should return:
>
> UPG Definition
> NGP Definition
>
> This enables user-private groups and netgroup-private groups.
>
> rob
Yes. That returned as expected.
--
-----
*question everything*learn something*answer nothing*
------------
Lucas Yamanishi
------------------
Systems Administrator, ADNET Systems, Inc.
7515 Mission Drive, Suite A100
Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A
More information about the Freeipa-users
mailing list