[Freeipa-users] Migration mode

Rob Crittenden rcritten at redhat.com
Mon Mar 10 19:14:37 UTC 2014 

Jitse Klomp wrote:
> On 10-03-14 18:57, Sumit Bose wrote:
>> On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote:
>>> On 10-03-14 17:03, Lukas Slebodnik wrote:
>>>> On (10/03/14 16:58), Lukas Slebodnik wrote:
>>>>> On (10/03/14 16:35), Jitse Klomp wrote:
>>>>>> On 10-03-14 16:10, Lukas Slebodnik wrote:
>>>>>>> On (10/03/14 15:19), Jitse Klomp wrote:
>>>>>>>> On 10-03-14 14:59, Jitse Klomp wrote:
>>>>>>>>> On 10-03-14 14:35, Lukas Slebodnik wrote:
>>>>>>>>>> On (10/03/14 13:55), Jitse Klomp wrote:
>>>>>>>>>>> Hello all,
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I'm migrating our OpenLDAP-based IdM-system to IPA. Instead
>>>>>>>>>>> of using
>>>>>>>>>>> migrate-ds I used some custom scripts to import all of our
>>>>>>>>>>> users (~250)
>>>>>>>>>>> and groups (~85) with IPA commands (ipa user-add etc.). To move
>>>>>>>>>>> passwords I configured the ipa-server to run in migration
>>>>>>>>>>> mode and did
>>>>>>>>>>> an ldapmodify like this:
>>>>>>>>>>>
>>>>>>>>>>>     dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl
>>>>>>>>>>>     changetype: modify
>>>>>>>>>>>     replace: userPassword
>>>>>>>>>>>     userPassword: {SHA}hash
>>>>>>>>>>>
>>>>>>>>>>> Logging in to a machine running CentOS and ipa-client for the
>>>>>>>>>>> first time
>>>>>>>>>>> works like a charm, a krbPrincipalKey is generated and
>>>>>>>>>>> Kerberos 'just'
>>>>>>>>>>> works. However, logging in to Fedora 20 for the first time
>>>>>>>>>>> throws a
>>>>>>>>>>> 'permission denied'. Logging in to Fedora works after logging
>>>>>>>>>>> in to
>>>>>>>>>>> CentOS or the IPA migration web ui.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> sssd_domain.nl.log, loglevel 6
>>>>>>>>>>> Fedora log: http://pastebin.centos.org/8281/
>>>>>>>>>>> CentOS log: http://pastebin.centos.org/8286/
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Additional details:
>>>>>>>>>>> IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64
>>>>>>>>>>> Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64
>>>>>>>>>>> Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64
>>>>>>>>>> (Mon Mar  3 22:15:42 2014) [sssd[be[domain.nl]]]
>>>>>>>>>> [ipa_resolve_callback]
>>>>>>>>>>      (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl'
>>>>>>>>>> (Mon Mar  3 22:15:42 2014) [sssd[be[domain.nl]]]
>>>>>>>>>> [write_pipe_handler]
>>>>>>>>>>      (0x0400): All data has been sent!
>>>>>>>>>> (Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>>>>>>>> [read_pipe_handler]
>>>>>>>>>>      (0x0400): EOF received, client finished
>>>>>>>>>> (Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>>>>>>>> [be_pam_handler_callback]
>>>>>>>>>>      (0x0100): Backend returned: (0, 4, <NULL>) [Success]
>>>>>>>>>>                                     ^^^
>>>>>>>>>>                                    It means  PAM_SYSTEM_ERR /*
>>>>>>>>>> System
>>>>>>>>>> error */
>>>>>>>>>>
>>>>>>>>>> (Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>>>>>>>> [be_pam_handler_callback]
>>>>>>>>>>      (0x0100): Sending result [4][domain.nl]
>>>>>>>>>> (Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>>>>>>>> [be_pam_handler_callback]
>>>>>>>>>>      (0x0100): Sent result [4][domain.nl]
>>>>>>>>>> (Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>>>>>>>> [child_sig_handler]
>>>>>>>>>>      (0x0100): child [19510] finished successfully.
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Both CentOS and Fedora are fully up-to-date using only the base
>>>>>>>>>>> repos. Config of the clients is done with ipa-client-install.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Could you attach log files with debug_level 9?
>>>>>>>>>>
>>>>>>>>>> LS
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Sure. Just sssd_domain or do you need more?
>>>>>>>>>
>>>>>>> Are you using two different ipa servers?
>>>>>>> ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl
>>>>>>>
>>>>>>>>> sssd_domain.nl.log, loglevel 9
>>>>>>>>> Fedora: http://pastebin.centos.org/8291/
>>>>>>> Constructed uri 'ldap://vm-ipa.domain.nl'
>>>>>>>
>>>>>>>>> CentOS: http://pastebin.centos.org/8296/
>>>>>>> Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl'
>>>>>>>
>>>>>>>>>
>>>>>>>>>   - Jitse
>>>>>>>>>
>>>>>>>>
>>>>>>>> The problem is also present in RHEL7b with
>>>>>>>> ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64
>>>>>>>>
>>>>>>>> sssd_domain.nl.log, loglevel 9
>>>>>>>> RHEL7b: http://pastebin.centos.org/8301/
>>>>>>> Constructed uri 'ldap://vm-ipa.domain.nl'
>>>>>>>
>>>>>>> Could you also provide krb5_child.log and ldap_child.log from
>>>>>>> fedora machine?
>>>>>>>      (debug_level 9)
>>>>>>>
>>>>>>> LS
>>>>>>>
>>>>>>
>>>>>> No, I'm using only one ipa server (vm-ipa). I accidentally
>>>>>> copy-pasted without changing the domain name ;)
>>>>>>
>>>>>>> Any chance you could use the migrate-ds script to migrate users? I'm
>>>>>>> not 100% sure if your own upgrade method does the same thing..
>>>>>> I don't think so, our old LDAP schema is a mess...
>>>>>>
>>>>>> krb5_child.log: http://pastebin.centos.org/8306/
>>>>>
>>>>> [sss_child_krb5_trace_cb] (0x4000): [24671]
>>>>>     1394465217.407384: Getting initial credentials for jitse at DOMAIN.NL
>>>>> [sss_child_krb5_trace_cb] (0x4000): [24671]
>>>>>     1394465217.407699: Sending request (173 bytes) to DOMAIN.NL
>>>>> [sss_child_krb5_trace_cb] (0x4000): [24671]
>>>>>     1394465217.408202: Sending initial UDP request to dgram
>>>>> 10.14.3.15:88
>>>>> [sss_child_krb5_trace_cb] (0x4000): [24671]
>>>>>     1394465217.425034: Received answer from dgram 10.14.3.15:88
>>>>> [sss_child_krb5_trace_cb] (0x4000): [24671]
>>>>>     1394465217.425171: Response was from master KDC
>>>>> [sss_child_krb5_trace_cb] (0x4000): [24671]
>>>>>     1394465217.425241: Received error from KDC:
>>>>> -1765328361/Password has expired
>>>>> [get_and_save_tgt] (0x0020): 918: [-1765328361][Password has expired]
>>>>> [tgt_req_child] (0x1000): Password was expired
>>>>>
>>>>> It looks like password is expired for user jitse.
>>>>>
>>>> My hands were faster than my mind.
>>>>
>>>> I wanted to wrote:
>>>> It looks like password is expired for user jitse.
>>>> It is really weird because it works on Centos.
>>>> Do you have a synchronized time on all machines with ipa server?
>>>>
>>>> LS
>>>
>>> Yes, time is in sync across all machines. I think the most
>>> interesting lines in the log are these:
>>>
>>> (Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]]
>>> [sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.441823:
>>> Processing preauth types: 136, 19, 2, 133
>>>
>>> (Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]]
>>> [map_krb5_error] (0x0020): 979: [-1765328234][Program lacks support
>>> for encryption type]
>>>
>>> (Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]]
>>> [pack_response_packet] (0x2000): response packet size: [4]
>>>
>>> (Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]]
>>> [k5c_send_data] (0x4000): Response sent.
>>>
>>> (Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]] [main]
>>> (0x0400): krb5_child completed successfully
>>>
>>> This is where krb5_child on fedora just stops working while
>>> krb5_child on CentOS does this: http://pastebin.centos.org/8316/
>>>
>>
>> Can you send the krb5_child.log file with the success from CentOS as
>> well? Looks like we might handle some error codes differently after
>> introducing the sssd_errors code.
>>
>> bye,
>> Sumit
>>
>>>
>>>   - Jitse
>
> That last pastebin (http://pastebin.centos.org/8316/) was krb5_child.log
> from a succesful first-time login on centos.
>
>  > I'd be curious what the krbPasswordExpiration is for this user.
> See http://pastebin.centos.org/8321/ for a password migration and output
> of ldapsearch.
>
> Output of ldapsearch *after* logging in to CentOS for the first time:
>      krbPasswordExpiration: 20140310183603Z
>      krbLastPwdChange: 20140310183603Z
>      krbExtraData:: AAITBh5Tcm9vdC9hZG1pbkBBLUVTS1dBRFJBQVQuTkwA
>      krbLastFailedAuth: 20140310185101Z
>      krbLoginFailedCount: 1

The password looks expired to me given that the expiration time is prior 
to the last failed login.

rob

More information about the Freeipa-users mailing list