[Freeipa-users] Migration mode
Jitse Klomp
jitseklomp at gmail.com
Mon Mar 10 15:35:31 UTC 2014
On 10-03-14 16:10, Lukas Slebodnik wrote:
> On (10/03/14 15:19), Jitse Klomp wrote:
>> On 10-03-14 14:59, Jitse Klomp wrote:
>>> On 10-03-14 14:35, Lukas Slebodnik wrote:
>>>> On (10/03/14 13:55), Jitse Klomp wrote:
>>>>> Hello all,
>>>>>
>>>>>
>>>>> I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using
>>>>> migrate-ds I used some custom scripts to import all of our users (~250)
>>>>> and groups (~85) with IPA commands (ipa user-add etc.). To move
>>>>> passwords I configured the ipa-server to run in migration mode and did
>>>>> an ldapmodify like this:
>>>>>
>>>>> dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl
>>>>> changetype: modify
>>>>> replace: userPassword
>>>>> userPassword: {SHA}hash
>>>>>
>>>>> Logging in to a machine running CentOS and ipa-client for the first time
>>>>> works like a charm, a krbPrincipalKey is generated and Kerberos 'just'
>>>>> works. However, logging in to Fedora 20 for the first time throws a
>>>>> 'permission denied'. Logging in to Fedora works after logging in to
>>>>> CentOS or the IPA migration web ui.
>>>>>
>>>>>
>>>>> sssd_domain.nl.log, loglevel 6
>>>>> Fedora log: http://pastebin.centos.org/8281/
>>>>> CentOS log: http://pastebin.centos.org/8286/
>>>>>
>>>>>
>>>>> Additional details:
>>>>> IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64
>>>>> Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64
>>>>> Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64
>>>> (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback]
>>>> (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl'
>>>> (Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler]
>>>> (0x0400): All data has been sent!
>>>> (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler]
>>>> (0x0400): EOF received, client finished
>>>> (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>> [be_pam_handler_callback]
>>>> (0x0100): Backend returned: (0, 4, <NULL>) [Success]
>>>> ^^^
>>>> It means PAM_SYSTEM_ERR /* System
>>>> error */
>>>>
>>>> (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>> [be_pam_handler_callback]
>>>> (0x0100): Sending result [4][domain.nl]
>>>> (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>> [be_pam_handler_callback]
>>>> (0x0100): Sent result [4][domain.nl]
>>>> (Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler]
>>>> (0x0100): child [19510] finished successfully.
>>>>
>>>>>
>>>>> Both CentOS and Fedora are fully up-to-date using only the base
>>>>> repos. Config of the clients is done with ipa-client-install.
>>>>>
>>>>
>>>> Could you attach log files with debug_level 9?
>>>>
>>>> LS
>>>>
>>>
>>> Sure. Just sssd_domain or do you need more?
>>>
> Are you using two different ipa servers?
> ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl
>
>>> sssd_domain.nl.log, loglevel 9
>>> Fedora: http://pastebin.centos.org/8291/
> Constructed uri 'ldap://vm-ipa.domain.nl'
>
>>> CentOS: http://pastebin.centos.org/8296/
> Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl'
>
>>>
>>> - Jitse
>>>
>>
>> The problem is also present in RHEL7b with
>> ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64
>>
>> sssd_domain.nl.log, loglevel 9
>> RHEL7b: http://pastebin.centos.org/8301/
> Constructed uri 'ldap://vm-ipa.domain.nl'
>
> Could you also provide krb5_child.log and ldap_child.log from fedora machine?
> (debug_level 9)
>
> LS
>
No, I'm using only one ipa server (vm-ipa). I accidentally copy-pasted
without changing the domain name ;)
> Any chance you could use the migrate-ds script to migrate users? I'm
> not 100% sure if your own upgrade method does the same thing..
I don't think so, our old LDAP schema is a mess...
krb5_child.log: http://pastebin.centos.org/8306/
ldap_child.log: http://pastebin.centos.org/8311/
- Jitse
More information about the Freeipa-users
mailing list