[Freeipa-users] Migration mode

Sumit Bose sbose at redhat.com
Mon Mar 10 21:06:31 UTC 2014 

On Mon, Mar 10, 2014 at 09:10:01PM +0100, Jitse Klomp wrote:
> On 10-03-14 20:34, Sumit Bose wrote:
> >On Mon, Mar 10, 2014 at 07:56:07PM +0100, Jitse Klomp wrote:
> >>On 10-03-14 18:57, Sumit Bose wrote:
> >>>On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote:
> >>>>On 10-03-14 17:03, Lukas Slebodnik wrote:
> >>>>>On (10/03/14 16:58), Lukas Slebodnik wrote:
> >>>>>>On (10/03/14 16:35), Jitse Klomp wrote:
> >>>>>>>On 10-03-14 16:10, Lukas Slebodnik wrote:
> >>>>>>>>On (10/03/14 15:19), Jitse Klomp wrote:
> >>>>>>>>>On 10-03-14 14:59, Jitse Klomp wrote:
> >>>>>>>>>>On 10-03-14 14:35, Lukas Slebodnik wrote:
> >>>>>>>>>>>On (10/03/14 13:55), Jitse Klomp wrote:
> >>>>>>>>>>>>Hello all,
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using
> >>>>>>>>>>>>migrate-ds I used some custom scripts to import all of our users (~250)
> >>>>>>>>>>>>and groups (~85) with IPA commands (ipa user-add etc.). To move
> >>>>>>>>>>>>passwords I configured the ipa-server to run in migration mode and did
> >>>>>>>>>>>>an ldapmodify like this:
> >>>>>>>>>>>>
> >>>>>>>>>>>>    dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl
> >>>>>>>>>>>>    changetype: modify
> >>>>>>>>>>>>    replace: userPassword
> >>>>>>>>>>>>    userPassword: {SHA}hash
> >>>>>>>>>>>>
> >>>>>>>>>>>>Logging in to a machine running CentOS and ipa-client for the first time
> >>>>>>>>>>>>works like a charm, a krbPrincipalKey is generated and Kerberos 'just'
> >>>>>>>>>>>>works. However, logging in to Fedora 20 for the first time throws a
> >>>>>>>>>>>>'permission denied'. Logging in to Fedora works after logging in to
> >>>>>>>>>>>>CentOS or the IPA migration web ui.
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>sssd_domain.nl.log, loglevel 6
> >>>>>>>>>>>>Fedora log: http://pastebin.centos.org/8281/
> >>>>>>>>>>>>CentOS log: http://pastebin.centos.org/8286/
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>Additional details:
> >>>>>>>>>>>>IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64
> >>>>>>>>>>>>Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64
> >>>>>>>>>>>>Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64
> >>>>>>>>>>>(Mon Mar  3 22:15:42 2014) [sssd[be[domain.nl]]] [ipa_resolve_callback]
> >>>>>>>>>>>     (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl'
> >>>>>>>>>>>(Mon Mar  3 22:15:42 2014) [sssd[be[domain.nl]]] [write_pipe_handler]
> >>>>>>>>>>>     (0x0400): All data has been sent!
> >>>>>>>>>>>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]] [read_pipe_handler]
> >>>>>>>>>>>     (0x0400): EOF received, client finished
> >>>>>>>>>>>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
> >>>>>>>>>>>[be_pam_handler_callback]
> >>>>>>>>>>>     (0x0100): Backend returned: (0, 4, <NULL>) [Success]
> >>>>>>>>>>>                                    ^^^
> >>>>>>>>>>>                                   It means  PAM_SYSTEM_ERR /* System
> >>>>>>>>>>>error */
> >>>>>>>>>>>
> >>>>>>>>>>>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
> >>>>>>>>>>>[be_pam_handler_callback]
> >>>>>>>>>>>     (0x0100): Sending result [4][domain.nl]
> >>>>>>>>>>>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]]
> >>>>>>>>>>>[be_pam_handler_callback]
> >>>>>>>>>>>     (0x0100): Sent result [4][domain.nl]
> >>>>>>>>>>>(Mon Mar  3 22:15:43 2014) [sssd[be[domain.nl]]] [child_sig_handler]
> >>>>>>>>>>>     (0x0100): child [19510] finished successfully.
> >>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>Both CentOS and Fedora are fully up-to-date using only the base
> >>>>>>>>>>>>repos. Config of the clients is done with ipa-client-install.
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>Could you attach log files with debug_level 9?
> >>>>>>>>>>>
> >>>>>>>>>>>LS
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>Sure. Just sssd_domain or do you need more?
> >>>>>>>>>>
> >>>>>>>>Are you using two different ipa servers?
> >>>>>>>>ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl
> >>>>>>>>
> >>>>>>>>>>sssd_domain.nl.log, loglevel 9
> >>>>>>>>>>Fedora: http://pastebin.centos.org/8291/
> >>>>>>>>Constructed uri 'ldap://vm-ipa.domain.nl'
> >>>>>>>>
> >>>>>>>>>>CentOS: http://pastebin.centos.org/8296/
> >>>>>>>>Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl'
> >>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>  - Jitse
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>The problem is also present in RHEL7b with
> >>>>>>>>>ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64
> >>>>>>>>>
> >>>>>>>>>sssd_domain.nl.log, loglevel 9
> >>>>>>>>>RHEL7b: http://pastebin.centos.org/8301/
> >>>>>>>>Constructed uri 'ldap://vm-ipa.domain.nl'
> >>>>>>>>
> >>>>>>>>Could you also provide krb5_child.log and ldap_child.log from fedora machine?
> >>>>>>>>     (debug_level 9)
> >>>>>>>>
> >>>>>>>>LS
> >>>>>>>>
> >>>>>>>
> >>>>>>>No, I'm using only one ipa server (vm-ipa). I accidentally
> >>>>>>>copy-pasted without changing the domain name ;)
> >>>>>>>
> >>>>>>>>Any chance you could use the migrate-ds script to migrate users? I'm
> >>>>>>>>not 100% sure if your own upgrade method does the same thing..
> >>>>>>>I don't think so, our old LDAP schema is a mess...
> >>>>>>>
> >>>>>>>krb5_child.log: http://pastebin.centos.org/8306/
> >>>>>>
> >>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671]
> >>>>>>    1394465217.407384: Getting initial credentials for jitse at DOMAIN.NL
> >>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671]
> >>>>>>    1394465217.407699: Sending request (173 bytes) to DOMAIN.NL
> >>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671]
> >>>>>>    1394465217.408202: Sending initial UDP request to dgram 10.14.3.15:88
> >>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671]
> >>>>>>    1394465217.425034: Received answer from dgram 10.14.3.15:88
> >>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671]
> >>>>>>    1394465217.425171: Response was from master KDC
> >>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671]
> >>>>>>    1394465217.425241: Received error from KDC: -1765328361/Password has expired
> >>>>>>[get_and_save_tgt] (0x0020): 918: [-1765328361][Password has expired]
> >>>>>>[tgt_req_child] (0x1000): Password was expired
> >>>>>>
> >>>>>>It looks like password is expired for user jitse.
> >>>>>>
> >>>>>My hands were faster than my mind.
> >>>>>
> >>>>>I wanted to wrote:
> >>>>>It looks like password is expired for user jitse.
> >>>>>It is really weird because it works on Centos.
> >>>>>Do you have a synchronized time on all machines with ipa server?
> >>>>>
> >>>>>LS
> >>>>
> >>>>Yes, time is in sync across all machines. I think the most
> >>>>interesting lines in the log are these:
> >>>>
> >>>>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]]
> >>>>[sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.441823:
> >>>>Processing preauth types: 136, 19, 2, 133
> >>>>
> >>>>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]]
> >>>>[map_krb5_error] (0x0020): 979: [-1765328234][Program lacks support
> >>>>for encryption type]
> >>>>
> >>>>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]]
> >>>>[pack_response_packet] (0x2000): response packet size: [4]
> >>>>
> >>>>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]]
> >>>>[k5c_send_data] (0x4000): Response sent.
> >>>>
> >>>>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]] [main]
> >>>>(0x0400): krb5_child completed successfully
> >>>>
> >>>>This is where krb5_child on fedora just stops working while
> >>>>krb5_child on CentOS does this: http://pastebin.centos.org/8316/
> >>>>
> >>>
> >>>Can you send the krb5_child.log file with the success from CentOS as
> >>>well? Looks like we might handle some error codes differently after
> >>>introducing the sssd_errors code.
> >>>
> >>>bye,
> >>>Sumit
> >>>
> >>>>
> >>>>  - Jitse
> >>
> >>That last pastebin (http://pastebin.centos.org/8316/) was
> >>krb5_child.log from a succesful first-time login on centos.
> >
> >Thanks. Can you try to set 'allow_weak_crypto = true' in the libdefaults
> >section of krb5.conf on F20 or RHEL7?
> >
> >bye,
> >Sumit
> >
> >>
> >>>I'd be curious what the krbPasswordExpiration is for this user.
> >>See http://pastebin.centos.org/8321/ for a password migration and
> >>output of ldapsearch.
> >>
> >>Output of ldapsearch *after* logging in to CentOS for the first time:
> >>     krbPasswordExpiration: 20140310183603Z
> >>     krbLastPwdChange: 20140310183603Z
> >>     krbExtraData:: AAITBh5Tcm9vdC9hZG1pbkBBLUVTS1dBRFJBQVQuTkwA
> >>     krbLastFailedAuth: 20140310185101Z
> >>     krbLoginFailedCount: 1
> >>
> >>  - Jitse
> 
> Yes, here you go: http://pastebin.centos.org/8331/
> 
> It doesn't seem to be a lot different from the old one...

Thank you. Maybe there is a change in return codes between MIT Kerberos
1.10 (Centos 6) and 1.11 (F20, RHEL7). Can you try to run 

KRB5_TRACE=/dev/stdout kinit unmigrated_user at DOMAIN.NL

on the different platforms and paste the results? I would expect to see
[Preauthentication failed] on Centos6 and [Program lacks support for
encryption type] on F10 or RHEL7.

bye,
Sumit

> 
>  - Jitse
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list