[Freeipa-users] Accident upgrade 3.3 to 4.1
Martin Kosek
mkosek at redhat.com
Wed Apr 8 12:01:56 UTC 2015
On 04/08/2015 01:40 PM, Alexander Frolushkin wrote:
>
> -----Original Message-----
> From: Jakub Hrozek [mailto:jhrozek at redhat.com]
> Sent: Wednesday, April 08, 2015 5:12 PM
> To: Alexander Frolushkin (SIB)
> Cc: 'Martin Kosek'; freeipa-users at redhat.com; Ludwig Krispenz; Thierry Bordaz
> Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
>
> On Wed, Apr 08, 2015 at 11:07:25AM +0000, Alexander Frolushkin wrote:
>> -----Original Message-----
>> From: Martin Kosek [mailto:mkosek at redhat.com]
>> Sent: Wednesday, April 08, 2015 4:47 PM
>> To: Alexander Frolushkin (SIB); freeipa-users at redhat.com; Ludwig
>> Krispenz; Thierry Bordaz; Jakub Hrozek
>> Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
>>
>>>> In any case, upgrade from 3.3 to 4.1 should just work, you just need to have a recent enough RHEL-6 servers - at least RHEL-6.6+z-streams.
>>>>
>>>> Please note, we currently have a three servers with IPA 4.1.0, and 13 servers with IPA 3.3.3 working simultaneously.
>>>> Also about hbac:
>>>>
>>>> [hbac_eval_user_element] (0x0080): Parse error on [cn=system: read
>>>> replication
>>>> agreements+nsuniqueid=..........,cn=permissions,cn=pbac,dc=unix,dc=
>>>> agreements+ad,
>>>> dc=com]
>>
>>> CCing Jakub, but this looks like
>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1135433
>
>> This is actually https://fedorahosted.org/sssd/ticket/2603
>
>> According to the RDN: "agreements+nsuniqueid=" there is a replication conflict on the servers. Latest SSSD builds are able to handle those, but you should fix the server anyway.
>
> Thank You!
> Conflict already has been resolved:
>
> # ldapsearch -D "uid=admin,cn=users,cn=accounts,dc=unix,dc=ad,dc=com" -W -b "nsds5ReplConflict=*" \* nsds5ReplConflict
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <nsds5ReplConflict=*> with scope subtree
> # filter: (objectclass=*)
> # requesting: * nsds5ReplConflict
> #
>
> # search result
> search: 2
> result: 32 No such object
>
> # numResponses: 1
>
> After that, client are able to login via ssh on servers connected to 7.1 servers, but still no login on client servers connected to 7.0 IPA servers...
Good! Does it only happen for users that have any RBAC role assigned or are
non-privileged users able to log in?
I suspect you may be hitting
https://bugzilla.redhat.com/show_bug.cgi?id=1140888
fixed in RHEL-7.1 DS and IPA.
More information about the Freeipa-users
mailing list