[Freeipa-users] Migration mode

Mon Mar 10 19:34:16 UTC 2014

On Mon, Mar 10, 2014 at 07:56:07PM +0100, Jitse Klomp wrote:
> On 10-03-14 18:57, Sumit Bose wrote:
> >On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote:
> >>On 10-03-14 17:03, Lukas Slebodnik wrote:
> >>>On (10/03/14 16:58), Lukas Slebodnik wrote:
> >>>>On (10/03/14 16:35), Jitse Klomp wrote:
> >>>>>On 10-03-14 16:10, Lukas Slebodnik wrote:
> >>>>>>On (10/03/14 15:19), Jitse Klomp wrote:
> >>>>>>>On 10-03-14 14:59, Jitse Klomp wrote:
> >>>>>>>>On 10-03-14 14:35, Lukas Slebodnik wrote:
> >>>>>>>>>On (10/03/14 13:55), Jitse Klomp wrote:
> >>>>>>>>>>Hello all,
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using
> >>>>>>>>>>migrate-ds I used some custom scripts to import all of our users (~250)
> >>>>>>>>>>and groups (~85) with IPA commands (ipa user-add etc.). To move
> >>>>>>>>>>passwords I configured the ipa-server to run in migration mode and did
> >>>>>>>>>>an ldapmodify like this:
> >>>>>>>>>>
> >>>>>>>>>>    dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl
> >>>>>>>>>>    changetype: modify
> >>>>>>>>>>    replace: userPassword
> >>>>>>>>>>    userPassword: {SHA}hash
> >>>>>>>>>>
> >>>>>>>>>>Logging in to a machine running CentOS and ipa-client for the first time
> >>>>>>>>>>works like a charm, a krbPrincipalKey is generated and Kerberos 'just'
> >>>>>>>>>>works. However, logging in to Fedora 20 for the first time throws a
> >>>>>>>>>>'permission denied'. Logging in to Fedora works after logging in to
> >>>>>>>>>>CentOS or the IPA migration web ui.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>sssd_domain.nl.log, loglevel 6
> >>>>>>>>>>Fedora log: http://pastebin.centos.org/8281/
> >>>>>>>>>>CentOS log: http://pastebin.centos.org/8286/
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>Additional details:
> >>>>>>>>>>IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64
> >>>>>>>>>>Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64
> >>>>>>>>>>Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64
> >>>>>>>>>(Mon Mar  3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback]
> >>>>>>>>>     (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl'
> >>>>>>>>>(Mon Mar  3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler]
> >>>>>>>>>     (0x0400): All data has been sent!
> >>>>>>>>>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler]
> >>>>>>>>>     (0x0400): EOF received, client finished
> >>>>>>>>>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
> >>>>>>>>>[be_pam_handler_callback]
> >>>>>>>>>     (0x0100): Backend returned: (0, 4, <NULL>) [Success]
> >>>>>>>>>                                    ^^^
> >>>>>>>>>                                   It means  PAM_SYSTEM_ERR /* System
> >>>>>>>>>error */
> >>>>>>>>>
> >>>>>>>>>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
> >>>>>>>>>[be_pam_handler_callback]
> >>>>>>>>>     (0x0100): Sending result [4][domain.nl]
> >>>>>>>>>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
> >>>>>>>>>[be_pam_handler_callback]
> >>>>>>>>>     (0x0100): Sent result [4][domain.nl]
> >>>>>>>>>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler]
> >>>>>>>>>     (0x0100): child [19510] finished successfully.
> >>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>Both CentOS and Fedora are fully up-to-date using only the base
> >>>>>>>>>>repos. Config of the clients is done with ipa-client-install.
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>Could you attach log files with debug_level 9?
> >>>>>>>>>
> >>>>>>>>>LS
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>Sure. Just sssd_domain or do you need more?
> >>>>>>>>
> >>>>>>Are you using two different ipa servers?
> >>>>>>ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl
> >>>>>>
> >>>>>>>>sssd_domain.nl.log, loglevel 9
> >>>>>>>>Fedora: http://pastebin.centos.org/8291/
> >>>>>>Constructed uri 'ldap://vm-ipa.domain.nl'
> >>>>>>
> >>>>>>>>CentOS: http://pastebin.centos.org/8296/
> >>>>>>Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl'
> >>>>>>
> >>>>>>>>
> >>>>>>>>  - Jitse
> >>>>>>>>
> >>>>>>>
> >>>>>>>The problem is also present in RHEL7b with
> >>>>>>>ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64
> >>>>>>>
> >>>>>>>sssd_domain.nl.log, loglevel 9
> >>>>>>>RHEL7b: http://pastebin.centos.org/8301/
> >>>>>>Constructed uri 'ldap://vm-ipa.domain.nl'
> >>>>>>
> >>>>>>Could you also provide krb5_child.log and ldap_child.log from fedora machine?
> >>>>>>     (debug_level 9)
> >>>>>>
> >>>>>>LS
> >>>>>>
> >>>>>
> >>>>>No, I'm using only one ipa server (vm-ipa). I accidentally
> >>>>>copy-pasted without changing the domain name ;)
> >>>>>
> >>>>>>Any chance you could use the migrate-ds script to migrate users? I'm
> >>>>>>not 100% sure if your own upgrade method does the same thing..
> >>>>>I don't think so, our old LDAP schema is a mess...
> >>>>>
> >>>>>krb5_child.log: http://pastebin.centos.org/8306/
> >>>>
> >>>>[sss_child_krb5_trace_cb] (0x4000): [24671]
> >>>>    1394465217.407384: Getting initial credentials for jitse at DOMAIN.NL
> >>>>[sss_child_krb5_trace_cb] (0x4000): [24671]
> >>>>    1394465217.407699: Sending request (173 bytes) to DOMAIN.NL
> >>>>[sss_child_krb5_trace_cb] (0x4000): [24671]
> >>>>    1394465217.408202: Sending initial UDP request to dgram 10.14.3.15:88
> >>>>[sss_child_krb5_trace_cb] (0x4000): [24671]
> >>>>    1394465217.425034: Received answer from dgram 10.14.3.15:88
> >>>>[sss_child_krb5_trace_cb] (0x4000): [24671]
> >>>>    1394465217.425171: Response was from master KDC
> >>>>[sss_child_krb5_trace_cb] (0x4000): [24671]
> >>>>    1394465217.425241: Received error from KDC: -1765328361/Password has expired
> >>>>[get_and_save_tgt] (0x0020): 918: [-1765328361][Password has expired]
> >>>>[tgt_req_child] (0x1000): Password was expired
> >>>>
> >>>>It looks like password is expired for user jitse.
> >>>>
> >>>My hands were faster than my mind.
> >>>
> >>>I wanted to wrote:
> >>>It looks like password is expired for user jitse.
> >>>It is really weird because it works on Centos.
> >>>Do you have a synchronized time on all machines with ipa server?
> >>>
> >>>LS
> >>
> >>Yes, time is in sync across all machines. I think the most
> >>interesting lines in the log are these:
> >>
> >>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]]
> >>[sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.441823:
> >>Processing preauth types: 136, 19, 2, 133
> >>
> >>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]]
> >>[map_krb5_error] (0x0020): 979: [-1765328234][Program lacks support
> >>for encryption type]
> >>
> >>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]]
> >>[pack_response_packet] (0x2000): response packet size: [4]
> >>
> >>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]]
> >>[k5c_send_data] (0x4000): Response sent.
> >>
> >>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]] [main]
> >>(0x0400): krb5_child completed successfully
> >>
> >>This is where krb5_child on fedora just stops working while
> >>krb5_child on CentOS does this: http://pastebin.centos.org/8316/
> >>
> >
> >Can you send the krb5_child.log file with the success from CentOS as
> >well? Looks like we might handle some error codes differently after
> >introducing the sssd_errors code.
> >
> >bye,
> >Sumit
> >
> >>
> >>  - Jitse
> 
> That last pastebin (http://pastebin.centos.org/8316/) was
> krb5_child.log from a succesful first-time login on centos.

Thanks. Can you try to set 'allow_weak_crypto = true' in the libdefaults
section of krb5.conf on F20 or RHEL7?

bye,
Sumit

> 
> > I'd be curious what the krbPasswordExpiration is for this user.
> See http://pastebin.centos.org/8321/ for a password migration and
> output of ldapsearch.
> 
> Output of ldapsearch *after* logging in to CentOS for the first time:
>     krbPasswordExpiration: 20140310183603Z
>     krbLastPwdChange: 20140310183603Z
>     krbExtraData:: AAITBh5Tcm9vdC9hZG1pbkBBLUVTS1dBRFJBQVQuTkwA
>     krbLastFailedAuth: 20140310185101Z
>     krbLoginFailedCount: 1
> 
>  - Jitse
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users