[Freeipa-users] Migration mode

Rob Crittenden rcritten at redhat.com
Mon Mar 10 17:25:10 UTC 2014 

Lukas Slebodnik wrote:
> On (10/03/14 16:58), Lukas Slebodnik wrote:
>> On (10/03/14 16:35), Jitse Klomp wrote:
>>> On 10-03-14 16:10, Lukas Slebodnik wrote:
>>>> On (10/03/14 15:19), Jitse Klomp wrote:
>>>>> On 10-03-14 14:59, Jitse Klomp wrote:
>>>>>> On 10-03-14 14:35, Lukas Slebodnik wrote:
>>>>>>> On (10/03/14 13:55), Jitse Klomp wrote:
>>>>>>>> Hello all,
>>>>>>>>
>>>>>>>>
>>>>>>>> I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using
>>>>>>>> migrate-ds I used some custom scripts to import all of our users (~250)
>>>>>>>> and groups (~85) with IPA commands (ipa user-add etc.). To move
>>>>>>>> passwords I configured the ipa-server to run in migration mode and did
>>>>>>>> an ldapmodify like this:
>>>>>>>>
>>>>>>>>     dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl
>>>>>>>>     changetype: modify
>>>>>>>>     replace: userPassword
>>>>>>>>     userPassword: {SHA}hash
>>>>>>>>
>>>>>>>> Logging in to a machine running CentOS and ipa-client for the first time
>>>>>>>> works like a charm, a krbPrincipalKey is generated and Kerberos 'just'
>>>>>>>> works. However, logging in to Fedora 20 for the first time throws a
>>>>>>>> 'permission denied'. Logging in to Fedora works after logging in to
>>>>>>>> CentOS or the IPA migration web ui.
>>>>>>>>
>>>>>>>>
>>>>>>>> sssd_domain.nl.log, loglevel 6
>>>>>>>> Fedora log: http://pastebin.centos.org/8281/
>>>>>>>> CentOS log: http://pastebin.centos.org/8286/
>>>>>>>>
>>>>>>>>
>>>>>>>> Additional details:
>>>>>>>> IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64
>>>>>>>> Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64
>>>>>>>> Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64
>>>>>>> (Mon Mar  3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback]
>>>>>>>      (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl'
>>>>>>> (Mon Mar  3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler]
>>>>>>>      (0x0400): All data has been sent!
>>>>>>> (Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler]
>>>>>>>      (0x0400): EOF received, client finished
>>>>>>> (Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>>>>> [be_pam_handler_callback]
>>>>>>>      (0x0100): Backend returned: (0, 4, <NULL>) [Success]
>>>>>>>                                     ^^^
>>>>>>>                                    It means  PAM_SYSTEM_ERR /* System
>>>>>>> error */
>>>>>>>
>>>>>>> (Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>>>>> [be_pam_handler_callback]
>>>>>>>      (0x0100): Sending result [4][domain.nl]
>>>>>>> (Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>>>>> [be_pam_handler_callback]
>>>>>>>      (0x0100): Sent result [4][domain.nl]
>>>>>>> (Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler]
>>>>>>>      (0x0100): child [19510] finished successfully.
>>>>>>>
>>>>>>>>
>>>>>>>> Both CentOS and Fedora are fully up-to-date using only the base
>>>>>>>> repos. Config of the clients is done with ipa-client-install.
>>>>>>>>
>>>>>>>
>>>>>>> Could you attach log files with debug_level 9?
>>>>>>>
>>>>>>> LS
>>>>>>>
>>>>>>
>>>>>> Sure. Just sssd_domain or do you need more?
>>>>>>
>>>> Are you using two different ipa servers?
>>>> ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl
>>>>
>>>>>> sssd_domain.nl.log, loglevel 9
>>>>>> Fedora: http://pastebin.centos.org/8291/
>>>> Constructed uri 'ldap://vm-ipa.domain.nl'
>>>>
>>>>>> CentOS: http://pastebin.centos.org/8296/
>>>> Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl'
>>>>
>>>>>>
>>>>>>   - Jitse
>>>>>>
>>>>>
>>>>> The problem is also present in RHEL7b with
>>>>> ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64
>>>>>
>>>>> sssd_domain.nl.log, loglevel 9
>>>>> RHEL7b: http://pastebin.centos.org/8301/
>>>> Constructed uri 'ldap://vm-ipa.domain.nl'
>>>>
>>>> Could you also provide krb5_child.log and ldap_child.log from fedora machine?
>>>>      (debug_level 9)
>>>>
>>>> LS
>>>>
>>>
>>> No, I'm using only one ipa server (vm-ipa). I accidentally
>>> copy-pasted without changing the domain name ;)
>>>
>>>> Any chance you could use the migrate-ds script to migrate users? I'm
>>>> not 100% sure if your own upgrade method does the same thing..
>>> I don't think so, our old LDAP schema is a mess...
>>>
>>> krb5_child.log: http://pastebin.centos.org/8306/
>>
>> [sss_child_krb5_trace_cb] (0x4000): [24671]
>>     1394465217.407384: Getting initial credentials for jitse at DOMAIN.NL
>> [sss_child_krb5_trace_cb] (0x4000): [24671]
>>     1394465217.407699: Sending request (173 bytes) to DOMAIN.NL
>> [sss_child_krb5_trace_cb] (0x4000): [24671]
>>     1394465217.408202: Sending initial UDP request to dgram 10.14.3.15:88
>> [sss_child_krb5_trace_cb] (0x4000): [24671]
>>     1394465217.425034: Received answer from dgram 10.14.3.15:88
>> [sss_child_krb5_trace_cb] (0x4000): [24671]
>>     1394465217.425171: Response was from master KDC
>> [sss_child_krb5_trace_cb] (0x4000): [24671]
>>     1394465217.425241: Received error from KDC: -1765328361/Password has expired
>> [get_and_save_tgt] (0x0020): 918: [-1765328361][Password has expired]
>> [tgt_req_child] (0x1000): Password was expired
>>
>> It looks like password is expired for user jitse.
>>
> My hands were faster than my mind.
>
> I wanted to wrote:
> It looks like password is expired for user jitse.
> It is really weird because it works on Centos.
> Do you have a synchronized time on all machines with ipa server?

I'd be curious what the krbPasswordExpiration is for this user.

rob

More information about the Freeipa-users mailing list