[Freeipa-users] sssd client cache timer and merging IPA domains

Lucas Yamanishi lyamanishi at sesda2.com
Wed Aug 29 19:02:30 UTC 2012 

On 08/20/2012 12:09 PM, Lucas Yamanishi wrote:
> On 08/20/2012 08:44 AM, Rob Crittenden wrote:
>> Lucas Yamanishi wrote:
>>>
>>> On 08/17/2012 08:38 AM, Rob Crittenden wrote:
>>>> Lucas Yamanishi wrote:
>>>>>
>>>>> On 08/16/2012 05:39 PM, Rob Crittenden wrote:
>>>>>> Lucas Yamanishi wrote:
>>>>>>>
>>>>>>> On 08/16/2012 05:32 PM, Rob Crittenden wrote:
>>>>>>>> Lucas Yamanishi wrote:
>>>>>>>>> I just migrated my IPA instance from one to another a couple days
>>>>>>>>> ago to
>>>>>>>>> recover after a lost CA and failed yum upgrade.  The "ipa
>>>>>>>>> migrate-ds"
>>>>>>>>> tool works very well, though I am having a few very minor
>>>>>>>>> issues.  On
>>>>>>>>> the upside, as far as I can tell, you can skip the steps about
>>>>>>>>> Kerberos
>>>>>>>>> key generation as outlined in the documentation.  I've been able to
>>>>>>>>> kinit just fine with my migrated users.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Below are the few errors I've noticed.
>>>>>>>>>
>>>>>>>>> * When I ssh into an enrolled host using a migrated user's
>>>>>>>>> credentials I
>>>>>>>>> get this error:
>>>>>>>>>
>>>>>>>>>       id: cannot find name for group ID 104600003\
>>>>>>>>
>>>>>>>> Does a group exist with that GID? You can try something like:
>>>>>>>>
>>>>>>>> $ ipa group-find --gid=104600003
>>>>>>>>
>>>>>>>
>>>>>>> The group doesn't exist.  The GID is the counterpart to my UID.
>>>>>>
>>>>>> Try adding --private.
>>>>>>
>>>>>> rob
>>>>>>
>>>>>
>>>>> Nope. It doesn't exist.
>>>>>
>>>>> Other groups migrated.  Why would the private groups fail?
>>>>
>>>> I don't know, what have you done to date, including versions?
>>>>
>>>> rob
>>> I've been following the stable Scientific Linux releases since 6.1.
>>> Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64.  The
>>> version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just
>>> upgraded from 2.1.3-9.el6.x86_64.  I migrated to and use now
>>> 2.2.0-16.el6.x86_64.
>>>
>>> So...
>>> 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 -> 2.2.0-16.el6.x86_64 ---->
>>> 2.2.0-16.el6.x86_64
>>>
>>>
>>
>> Can you verify that managed entries are configured:
>>
>> # ipa-managed-entries -l
>>
>> It should return:
>>
>> UPG Definition
>> NGP Definition
>>
>> This enables user-private groups and netgroup-private groups.
>>
>> rob
> Yes.  That returned as expected.
> 

The why and how of this aside, is there any easy way to repopulate all
my private groups?

-- 
-----
*question everything*learn something*answer nothing*
------------
Lucas Yamanishi
------------------
Systems Administrator, ADNET Systems, Inc.
7515 Mission Drive, Suite A100
Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A

More information about the Freeipa-users mailing list