[Freeipa-users] Migration mode

Lukas Slebodnik lslebodn at redhat.com
Mon Mar 10 15:10:24 UTC 2014 

On (10/03/14 15:19), Jitse Klomp wrote:
>On 10-03-14 14:59, Jitse Klomp wrote:
>>On 10-03-14 14:35, Lukas Slebodnik wrote:
>>>On (10/03/14 13:55), Jitse Klomp wrote:
>>>>Hello all,
>>>>
>>>>
>>>>I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using
>>>>migrate-ds I used some custom scripts to import all of our users (~250)
>>>>and groups (~85) with IPA commands (ipa user-add etc.). To move
>>>>passwords I configured the ipa-server to run in migration mode and did
>>>>an ldapmodify like this:
>>>>
>>>>    dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl
>>>>    changetype: modify
>>>>    replace: userPassword
>>>>    userPassword: {SHA}hash
>>>>
>>>>Logging in to a machine running CentOS and ipa-client for the first time
>>>>works like a charm, a krbPrincipalKey is generated and Kerberos 'just'
>>>>works. However, logging in to Fedora 20 for the first time throws a
>>>>'permission denied'. Logging in to Fedora works after logging in to
>>>>CentOS or the IPA migration web ui.
>>>>
>>>>
>>>>sssd_domain.nl.log, loglevel 6
>>>>Fedora log: http://pastebin.centos.org/8281/
>>>>CentOS log: http://pastebin.centos.org/8286/
>>>>
>>>>
>>>>Additional details:
>>>>IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64
>>>>Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64
>>>>Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64
>>>(Mon Mar  3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback]
>>>     (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl'
>>>(Mon Mar  3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler]
>>>     (0x0400): All data has been sent!
>>>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler]
>>>     (0x0400): EOF received, client finished
>>>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>[be_pam_handler_callback]
>>>     (0x0100): Backend returned: (0, 4, <NULL>) [Success]
>>>                                    ^^^
>>>                                   It means  PAM_SYSTEM_ERR /* System
>>>error */
>>>
>>>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>[be_pam_handler_callback]
>>>     (0x0100): Sending result [4][domain.nl]
>>>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>[be_pam_handler_callback]
>>>     (0x0100): Sent result [4][domain.nl]
>>>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler]
>>>     (0x0100): child [19510] finished successfully.
>>>
>>>>
>>>>Both CentOS and Fedora are fully up-to-date using only the base
>>>>repos. Config of the clients is done with ipa-client-install.
>>>>
>>>
>>>Could you attach log files with debug_level 9?
>>>
>>>LS
>>>
>>
>>Sure. Just sssd_domain or do you need more?
>>
Are you using two different ipa servers?
ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl

>>sssd_domain.nl.log, loglevel 9
>>Fedora: http://pastebin.centos.org/8291/
Constructed uri 'ldap://vm-ipa.domain.nl'

>>CentOS: http://pastebin.centos.org/8296/
Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl'

>>
>>  - Jitse
>>
>
>The problem is also present in RHEL7b with
>ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64
>
>sssd_domain.nl.log, loglevel 9
>RHEL7b: http://pastebin.centos.org/8301/
Constructed uri 'ldap://vm-ipa.domain.nl'

Could you also provide krb5_child.log and ldap_child.log from fedora machine?
    (debug_level 9)

LS

More information about the Freeipa-users mailing list