[Freeipa-users] Migration mode

Jakub Hrozek jhrozek at redhat.com
Mon Mar 10 15:10:18 UTC 2014 

On Mon, Mar 10, 2014 at 03:19:28PM +0100, Jitse Klomp wrote:
> On 10-03-14 14:59, Jitse Klomp wrote:
> >On 10-03-14 14:35, Lukas Slebodnik wrote:
> >>On (10/03/14 13:55), Jitse Klomp wrote:
> >>>Hello all,
> >>>
> >>>
> >>>I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using
> >>>migrate-ds I used some custom scripts to import all of our users (~250)
> >>>and groups (~85) with IPA commands (ipa user-add etc.). To move
> >>>passwords I configured the ipa-server to run in migration mode and did
> >>>an ldapmodify like this:
> >>>
> >>>    dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl
> >>>    changetype: modify
> >>>    replace: userPassword
> >>>    userPassword: {SHA}hash
> >>>
> >>>Logging in to a machine running CentOS and ipa-client for the first time
> >>>works like a charm, a krbPrincipalKey is generated and Kerberos 'just'
> >>>works. However, logging in to Fedora 20 for the first time throws a
> >>>'permission denied'. Logging in to Fedora works after logging in to
> >>>CentOS or the IPA migration web ui.
> >>>
> >>>
> >>>sssd_domain.nl.log, loglevel 6
> >>>Fedora log: http://pastebin.centos.org/8281/
> >>>CentOS log: http://pastebin.centos.org/8286/
> >>>
> >>>
> >>>Additional details:
> >>>IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64
> >>>Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64
> >>>Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64
> >>(Mon Mar  3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback]
> >>     (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl'
> >>(Mon Mar  3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler]
> >>     (0x0400): All data has been sent!
> >>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler]
> >>     (0x0400): EOF received, client finished
> >>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
> >>[be_pam_handler_callback]
> >>     (0x0100): Backend returned: (0, 4, <NULL>) [Success]
> >>                                    ^^^
> >>                                   It means  PAM_SYSTEM_ERR /* System
> >>error */
> >>
> >>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
> >>[be_pam_handler_callback]
> >>     (0x0100): Sending result [4][domain.nl]
> >>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
> >>[be_pam_handler_callback]
> >>     (0x0100): Sent result [4][domain.nl]
> >>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler]
> >>     (0x0100): child [19510] finished successfully.
> >>
> >>>
> >>>Both CentOS and Fedora are fully up-to-date using only the base
> >>>repos. Config of the clients is done with ipa-client-install.
> >>>
> >>
> >>Could you attach log files with debug_level 9?
> >>
> >>LS
> >>
> >
> >Sure. Just sssd_domain or do you need more?
> >
> >sssd_domain.nl.log, loglevel 9
> >Fedora: http://pastebin.centos.org/8291/
> >CentOS: http://pastebin.centos.org/8296/
> >
> >  - Jitse
> >
> 
> The problem is also present in RHEL7b with
> ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64
> 
> sssd_domain.nl.log, loglevel 9
> RHEL7b: http://pastebin.centos.org/8301/
> 
>  - Jitse

Any chance you could use the migrate-ds script to migrate users? I'm not
100% sure if your own upgrade method does the same thing..

To further analyze the System Error, we need the krb5_child.log

More information about the Freeipa-users mailing list