[Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches

Thomas Sailer t.sailer at alumni.ethz.ch
Wed Jun 3 16:33:22 UTC 2015 

I have now managed to upgrade the replica as well.

I stumbled over a few additional problems:

1) whenever a user becomes member of a group with +nsuniqueid= in its 
name, the user can no longer login. The reason is that ldb_dn_validate 
doesn't like the + character, thus returns false, which causes 
get_ipa_groupname to return EINVAL, which causes the loop in 
hbac_eval_user_element to abort and return an error.

This seems to be quite draconian. Does it have to be like this? If so it 
would be nice if a clearer error message would be left somewhere more 
obvious than sssd -d 0xffff...

2) I cannot change ssh keys, neither in the web gui nor on the cli.

# ipa -vv user-mod myuserid --sshpubkey= --all
ipa: INFO: trying https://xxxxxserver.xxxxx.com/ipa/json
ipa: INFO: Request: {
     "id": 0,
     "method": "ping",
     "params": [
         [],
         {}
     ]
}
ipa: INFO: Response: {
     "error": null,
     "id": 0,
     "principal": "admin at XXXXX.COM",
     "result": {
         "messages": [
             {
                 "code": 13001,
                 "message": "API Version number was not sent, forward 
compatibility not guaranteed. Assuming server's API version, 2.114",
                 "name": "VersionMissing",
                 "type": "warning"
             }
         ],
         "summary": "IPA server version 4.1.4. API version 2.114"
     },
     "version": "4.1.4"
}
ipa: INFO: Forwarding 'user_mod' to json server 
'https://xxxxxserver.xxxxx.com/ipa/json'
ipa: INFO: Request: {
     "id": 0,
     "method": "user_mod",
     "params": [
         [
             "t.sailer"
         ],
         {
             "all": true,
             "ipasshpubkey": null,
             "no_members": false,
             "random": false,
             "raw": false,
             "rights": false,
             "version": "2.114"
         }
     ]
}
ipa: INFO: Response: {
     "error": {
         "code": 4203,
         "message": "Type or value exists: ",
         "name": "DatabaseError"
     },
     "id": 0,
     "principal": "admin at XXXXX.COM",
     "result": null,
     "version": "4.1.4"
}
ipa: ERROR: Type or value exists:

I cannot find any more information in /var/log/httpd/error_log. But I 
can change the SSH keys directly talking to slapd...

3) Is
[global]
debug=True
in /etc/ipa/ipa.conf supposed to change /var/log/httpd/error_log output? 
I cannot see any change...

Thomas

More information about the Freeipa-users mailing list