[Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches
Rob Crittenden
rcritten at redhat.com
Thu Jun 4 14:33:08 UTC 2015
Thomas Sailer wrote:
> I have now managed to upgrade the replica as well.
>
> I stumbled over a few additional problems:
>
> 1) whenever a user becomes member of a group with +nsuniqueid= in its
> name, the user can no longer login. The reason is that ldb_dn_validate
> doesn't like the + character, thus returns false, which causes
> get_ipa_groupname to return EINVAL, which causes the loop in
> hbac_eval_user_element to abort and return an error.
>
> This seems to be quite draconian. Does it have to be like this? If so it
> would be nice if a clearer error message would be left somewhere more
> obvious than sssd -d 0xffff...
An entry with nsuniqueid is a replication conflict entry. You want to
resolve this.
See
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
> 2) I cannot change ssh keys, neither in the web gui nor on the cli.
>
> # ipa -vv user-mod myuserid --sshpubkey= --all
> ipa: INFO: trying https://xxxxxserver.xxxxx.com/ipa/json
> ipa: INFO: Request: {
> "id": 0,
> "method": "ping",
> "params": [
> [],
> {}
> ]
> }
> ipa: INFO: Response: {
> "error": null,
> "id": 0,
> "principal": "admin at XXXXX.COM",
> "result": {
> "messages": [
> {
> "code": 13001,
> "message": "API Version number was not sent, forward
> compatibility not guaranteed. Assuming server's API version, 2.114",
> "name": "VersionMissing",
> "type": "warning"
> }
> ],
> "summary": "IPA server version 4.1.4. API version 2.114"
> },
> "version": "4.1.4"
> }
> ipa: INFO: Forwarding 'user_mod' to json server
> 'https://xxxxxserver.xxxxx.com/ipa/json'
> ipa: INFO: Request: {
> "id": 0,
> "method": "user_mod",
> "params": [
> [
> "t.sailer"
> ],
> {
> "all": true,
> "ipasshpubkey": null,
> "no_members": false,
> "random": false,
> "raw": false,
> "rights": false,
> "version": "2.114"
> }
> ]
> }
> ipa: INFO: Response: {
> "error": {
> "code": 4203,
> "message": "Type or value exists: ",
> "name": "DatabaseError"
> },
> "id": 0,
> "principal": "admin at XXXXX.COM",
> "result": null,
> "version": "4.1.4"
> }
> ipa: ERROR: Type or value exists:
>
> I cannot find any more information in /var/log/httpd/error_log. But I
> can change the SSH keys directly talking to slapd...
Hmm, curious. What is the current state of the entry? The 389-ds access
log might have more details (though I'm stretching here).
> 3) Is
> [global]
> debug=True
> in /etc/ipa/ipa.conf supposed to change /var/log/httpd/error_log output?
> I cannot see any change...
No, there is no /etc/ipa/ipa.conf.
You can create /etc/ipa/server.conf to only change configuration for the
server, or /etc/ipa/client.conf to only change configuration for the client.
default.conf is loaded first, then server/client.conf is loaded and
changes override the default.
rob
More information about the Freeipa-users
mailing list