[Freeipa-users] Migration mode

Jitse Klomp jitseklomp at gmail.com
Mon Mar 10 13:59:44 UTC 2014 

On 10-03-14 14:35, Lukas Slebodnik wrote:
> On (10/03/14 13:55), Jitse Klomp wrote:
>> Hello all,
>>
>>
>> I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using
>> migrate-ds I used some custom scripts to import all of our users (~250)
>> and groups (~85) with IPA commands (ipa user-add etc.). To move
>> passwords I configured the ipa-server to run in migration mode and did
>> an ldapmodify like this:
>>
>>     dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl
>>     changetype: modify
>>     replace: userPassword
>>     userPassword: {SHA}hash
>>
>> Logging in to a machine running CentOS and ipa-client for the first time
>> works like a charm, a krbPrincipalKey is generated and Kerberos 'just'
>> works. However, logging in to Fedora 20 for the first time throws a
>> 'permission denied'. Logging in to Fedora works after logging in to
>> CentOS or the IPA migration web ui.
>>
>>
>> sssd_domain.nl.log, loglevel 6
>> Fedora log: http://pastebin.centos.org/8281/
>> CentOS log: http://pastebin.centos.org/8286/
>>
>>
>> Additional details:
>> IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64
>> Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64
>> Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64
> (Mon Mar  3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback]
>      (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl'
> (Mon Mar  3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler]
>      (0x0400): All data has been sent!
> (Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler]
>      (0x0400): EOF received, client finished
> (Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback]
>      (0x0100): Backend returned: (0, 4, <NULL>) [Success]
>                                     ^^^
>                                    It means  PAM_SYSTEM_ERR /* System error */
>
> (Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback]
>      (0x0100): Sending result [4][domain.nl]
> (Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]] [be_pam_handler_callback]
>      (0x0100): Sent result [4][domain.nl]
> (Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler]
>      (0x0100): child [19510] finished successfully.
>
>>
>> Both CentOS and Fedora are fully up-to-date using only the base
>> repos. Config of the clients is done with ipa-client-install.
>>
>
> Could you attach log files with debug_level 9?
>
> LS
>

Sure. Just sssd_domain or do you need more?

sssd_domain.nl.log, loglevel 9
Fedora: http://pastebin.centos.org/8291/
CentOS: http://pastebin.centos.org/8296/

  - Jitse

More information about the Freeipa-users mailing list