[Freeipa-users] Migration mode
Lukas Slebodnik
lslebodn at redhat.com
Mon Mar 10 21:32:42 UTC 2014
On (10/03/14 21:47), Lukas Slebodnik wrote:
>On (10/03/14 15:14), Rob Crittenden wrote:
>>Jitse Klomp wrote:
>>>On 10-03-14 18:57, Sumit Bose wrote:
>>>>On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote:
>>>>>On 10-03-14 17:03, Lukas Slebodnik wrote:
>>>>>>On (10/03/14 16:58), Lukas Slebodnik wrote:
>>>>>>>On (10/03/14 16:35), Jitse Klomp wrote:
>>>>>>>>On 10-03-14 16:10, Lukas Slebodnik wrote:
>>>>>>>>>On (10/03/14 15:19), Jitse Klomp wrote:
>>>>>>>>>>On 10-03-14 14:59, Jitse Klomp wrote:
>>>>>>>>>>>On 10-03-14 14:35, Lukas Slebodnik wrote:
>>>>>>>>>>>>On (10/03/14 13:55), Jitse Klomp wrote:
>>>>>>>>>>>>>Hello all,
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>I'm migrating our OpenLDAP-based IdM-system to IPA. Instead
>>>>>>>>>>>>>of using
>>>>>>>>>>>>>migrate-ds I used some custom scripts to import all of our
>>>>>>>>>>>>>users (~250)
>>>>>>>>>>>>>and groups (~85) with IPA commands (ipa user-add etc.). To move
>>>>>>>>>>>>>passwords I configured the ipa-server to run in migration
>>>>>>>>>>>>>mode and did
>>>>>>>>>>>>>an ldapmodify like this:
>>>>>>>>>>>>>
>>>>>>>>>>>>> dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl
>>>>>>>>>>>>> changetype: modify
>>>>>>>>>>>>> replace: userPassword
>>>>>>>>>>>>> userPassword: {SHA}hash
>>>>>>>>>>>>>
>>>>>>>>>>>>>Logging in to a machine running CentOS and ipa-client for the
>>>>>>>>>>>>>first time
>>>>>>>>>>>>>works like a charm, a krbPrincipalKey is generated and
>>>>>>>>>>>>>Kerberos 'just'
>>>>>>>>>>>>>works. However, logging in to Fedora 20 for the first time
>>>>>>>>>>>>>throws a
>>>>>>>>>>>>>'permission denied'. Logging in to Fedora works after logging
>>>>>>>>>>>>>in to
>>>>>>>>>>>>>CentOS or the IPA migration web ui.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>sssd_domain.nl.log, loglevel 6
>>>>>>>>>>>>>Fedora log: http://pastebin.centos.org/8281/
>>>>>>>>>>>>>CentOS log: http://pastebin.centos.org/8286/
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>Additional details:
>>>>>>>>>>>>>IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64
>>>>>>>>>>>>>Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64
>>>>>>>>>>>>>Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64
>>>>>>>>>>>>(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]]
>>>>>>>>>>>>[ipa_resolve_callback]
>>>>>>>>>>>> (0x0400): Constructed uri 'ldap://vm-ipa.domain.nl'
>>>>>>>>>>>>(Mon Mar 3 22:15:42 2014) [sssd[be[domain.nl]]]
>>>>>>>>>>>>[write_pipe_handler]
>>>>>>>>>>>> (0x0400): All data has been sent!
>>>>>>>>>>>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>>>>>>>>>>[read_pipe_handler]
>>>>>>>>>>>> (0x0400): EOF received, client finished
>>>>>>>>>>>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>>>>>>>>>>[be_pam_handler_callback]
>>>>>>>>>>>> (0x0100): Backend returned: (0, 4, <NULL>) [Success]
>>>>>>>>>>>> ^^^
>>>>>>>>>>>> It means PAM_SYSTEM_ERR /*
>>>>>>>>>>>>System
>>>>>>>>>>>>error */
>>>>>>>>>>>>
>>>>>>>>>>>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>>>>>>>>>>[be_pam_handler_callback]
>>>>>>>>>>>> (0x0100): Sending result [4][domain.nl]
>>>>>>>>>>>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>>>>>>>>>>[be_pam_handler_callback]
>>>>>>>>>>>> (0x0100): Sent result [4][domain.nl]
>>>>>>>>>>>>(Mon Mar 3 22:15:43 2014) [sssd[be[domain.nl]]]
>>>>>>>>>>>>[child_sig_handler]
>>>>>>>>>>>> (0x0100): child [19510] finished successfully.
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>Both CentOS and Fedora are fully up-to-date using only the base
>>>>>>>>>>>>>repos. Config of the clients is done with ipa-client-install.
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>Could you attach log files with debug_level 9?
>>>>>>>>>>>>
>>>>>>>>>>>>LS
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>Sure. Just sssd_domain or do you need more?
>>>>>>>>>>>
>>>>>>>>>Are you using two different ipa servers?
>>>>>>>>>ldap://vm-ipa.domain.nl, ldap://vm-ipa.a-eskwadraat.nl
>>>>>>>>>
>>>>>>>>>>>sssd_domain.nl.log, loglevel 9
>>>>>>>>>>>Fedora: http://pastebin.centos.org/8291/
>>>>>>>>>Constructed uri 'ldap://vm-ipa.domain.nl'
>>>>>>>>>
>>>>>>>>>>>CentOS: http://pastebin.centos.org/8296/
>>>>>>>>>Constructed uri 'ldap://vm-ipa.a-eskwadraat.nl'
>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> - Jitse
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>The problem is also present in RHEL7b with
>>>>>>>>>>ipa-client-3.3.3-5.el7.x86_64 and sssd-1.11.2-1.el7.x86_64
>>>>>>>>>>
>>>>>>>>>>sssd_domain.nl.log, loglevel 9
>>>>>>>>>>RHEL7b: http://pastebin.centos.org/8301/
>>>>>>>>>Constructed uri 'ldap://vm-ipa.domain.nl'
>>>>>>>>>
>>>>>>>>>Could you also provide krb5_child.log and ldap_child.log from
>>>>>>>>>fedora machine?
>>>>>>>>> (debug_level 9)
>>>>>>>>>
>>>>>>>>>LS
>>>>>>>>>
>>>>>>>>
>>>>>>>>No, I'm using only one ipa server (vm-ipa). I accidentally
>>>>>>>>copy-pasted without changing the domain name ;)
>>>>>>>>
>>>>>>>>>Any chance you could use the migrate-ds script to migrate users? I'm
>>>>>>>>>not 100% sure if your own upgrade method does the same thing..
>>>>>>>>I don't think so, our old LDAP schema is a mess...
>>>>>>>>
>>>>>>>>krb5_child.log: http://pastebin.centos.org/8306/
>>>>>>>
>>>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671]
>>>>>>> 1394465217.407384: Getting initial credentials for jitse at DOMAIN.NL
>>>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671]
>>>>>>> 1394465217.407699: Sending request (173 bytes) to DOMAIN.NL
>>>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671]
>>>>>>> 1394465217.408202: Sending initial UDP request to dgram
>>>>>>>10.14.3.15:88
>>>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671]
>>>>>>> 1394465217.425034: Received answer from dgram 10.14.3.15:88
>>>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671]
>>>>>>> 1394465217.425171: Response was from master KDC
>>>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671]
>>>>>>> 1394465217.425241: Received error from KDC:
>>>>>>>-1765328361/Password has expired
>>>>>>>[get_and_save_tgt] (0x0020): 918: [-1765328361][Password has expired]
>>>>>>>[tgt_req_child] (0x1000): Password was expired
>>>>>>>
>>>>>>>It looks like password is expired for user jitse.
>>>>>>>
>>>>>>My hands were faster than my mind.
>>>>>>
>>>>>>I wanted to wrote:
>>>>>>It looks like password is expired for user jitse.
>>>>>>It is really weird because it works on Centos.
>>>>>>Do you have a synchronized time on all machines with ipa server?
>>>>>>
>>>>>>LS
>>>>>
>>>>>Yes, time is in sync across all machines. I think the most
>>>>>interesting lines in the log are these:
>>>>>
>>>>>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]]
>>>>>[sss_child_krb5_trace_cb] (0x4000): [24671] 1394465217.441823:
>>>>>Processing preauth types: 136, 19, 2, 133
>>>>>
>>>>>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]]
>>>>>[map_krb5_error] (0x0020): 979: [-1765328234][Program lacks support
>>>>>for encryption type]
>>>>>
>>>>>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]]
>>>>>[pack_response_packet] (0x2000): response packet size: [4]
>>>>>
>>>>>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]]
>>>>>[k5c_send_data] (0x4000): Response sent.
>>>>>
>>>>>(Mon Mar 10 16:26:57 2014) [[sssd[krb5_child[24671]]]] [main]
>>>>>(0x0400): krb5_child completed successfully
>>>>>
>>>>>This is where krb5_child on fedora just stops working while
>>>>>krb5_child on CentOS does this: http://pastebin.centos.org/8316/
>>>>>
>>>>
>>>>Can you send the krb5_child.log file with the success from CentOS as
>>>>well? Looks like we might handle some error codes differently after
>>>>introducing the sssd_errors code.
>>>>
>>>>bye,
>>>>Sumit
>>>>
>>>>>
>>>>> - Jitse
>>>
>>>That last pastebin (http://pastebin.centos.org/8316/) was krb5_child.log
>>>from a succesful first-time login on centos.
>>>
>>> > I'd be curious what the krbPasswordExpiration is for this user.
>>>See http://pastebin.centos.org/8321/ for a password migration and output
>>>of ldapsearch.
>>>
>>>Output of ldapsearch *after* logging in to CentOS for the first time:
>>> krbPasswordExpiration: 20140310183603Z
>>> krbLastPwdChange: 20140310183603Z
>Why is the password exporation the same as the last password change?
>
I will answer myself: because of migration mode.
LS
More information about the Freeipa-users
mailing list