[Freeipa-users] sssd client cache timer and merging IPA domains
Rob Crittenden
rcritten at redhat.com
Wed Aug 29 19:35:13 UTC 2012
Lucas Yamanishi wrote:
> On 08/20/2012 12:09 PM, Lucas Yamanishi wrote:
>> On 08/20/2012 08:44 AM, Rob Crittenden wrote:
>>> Lucas Yamanishi wrote:
>>>>
>>>> On 08/17/2012 08:38 AM, Rob Crittenden wrote:
>>>>> Lucas Yamanishi wrote:
>>>>>>
>>>>>> On 08/16/2012 05:39 PM, Rob Crittenden wrote:
>>>>>>> Lucas Yamanishi wrote:
>>>>>>>>
>>>>>>>> On 08/16/2012 05:32 PM, Rob Crittenden wrote:
>>>>>>>>> Lucas Yamanishi wrote:
>>>>>>>>>> I just migrated my IPA instance from one to another a couple days
>>>>>>>>>> ago to
>>>>>>>>>> recover after a lost CA and failed yum upgrade. The "ipa
>>>>>>>>>> migrate-ds"
>>>>>>>>>> tool works very well, though I am having a few very minor
>>>>>>>>>> issues. On
>>>>>>>>>> the upside, as far as I can tell, you can skip the steps about
>>>>>>>>>> Kerberos
>>>>>>>>>> key generation as outlined in the documentation. I've been able to
>>>>>>>>>> kinit just fine with my migrated users.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Below are the few errors I've noticed.
>>>>>>>>>>
>>>>>>>>>> * When I ssh into an enrolled host using a migrated user's
>>>>>>>>>> credentials I
>>>>>>>>>> get this error:
>>>>>>>>>>
>>>>>>>>>> id: cannot find name for group ID 104600003\
>>>>>>>>>
>>>>>>>>> Does a group exist with that GID? You can try something like:
>>>>>>>>>
>>>>>>>>> $ ipa group-find --gid=104600003
>>>>>>>>>
>>>>>>>>
>>>>>>>> The group doesn't exist. The GID is the counterpart to my UID.
>>>>>>>
>>>>>>> Try adding --private.
>>>>>>>
>>>>>>> rob
>>>>>>>
>>>>>>
>>>>>> Nope. It doesn't exist.
>>>>>>
>>>>>> Other groups migrated. Why would the private groups fail?
>>>>>
>>>>> I don't know, what have you done to date, including versions?
>>>>>
>>>>> rob
>>>> I've been following the stable Scientific Linux releases since 6.1.
>>>> Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64. The
>>>> version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just
>>>> upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now
>>>> 2.2.0-16.el6.x86_64.
>>>>
>>>> So...
>>>> 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 -> 2.2.0-16.el6.x86_64 ---->
>>>> 2.2.0-16.el6.x86_64
>>>>
>>>>
>>>
>>> Can you verify that managed entries are configured:
>>>
>>> # ipa-managed-entries -l
>>>
>>> It should return:
>>>
>>> UPG Definition
>>> NGP Definition
>>>
>>> This enables user-private groups and netgroup-private groups.
>>>
>>> rob
>> Yes. That returned as expected.
>>
>
> The why and how of this aside, is there any easy way to repopulate all
> my private groups?
>
You'll need to use ldapmodify to achieve this, and add the missing
values to each user and group separately. This should be relatively
easily scriptable.
Here is what it looks like to convert a single user/group. I created it
by adding the user with --gid=### and --noprivate, then creating a group
of the same name and with the gid of the user.
$ ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: admin at EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
dn: cn=tuser1,cn=groups,cn=accounts,dc=example,dc=com
changetype: modify
replace: objectclass
objectclass: top
objectclass: posixgroup
objectclass: ipaobject
objectclass: mepManagedEntry
-
add: mepmanagedby
mepmanagedby: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
modifying entry "cn=tuser1,cn=groups,cn=accounts,dc=example,dc=com"
$ ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: admin at EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: mepOriginEntry
-
add: mepmanagedentry
mepmanagedentry: cn=tuser1,cn=groups,cn=accounts,dc=example,dc=com
modifying entry "uid=tuser1,cn=users,cn=accounts,dc=example,dc=com"
More information about the Freeipa-users
mailing list