[Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches

Rob Crittenden rcritten at redhat.com
Thu Jun 4 14:33:08 UTC 2015 

Thomas Sailer wrote:
> I have now managed to upgrade the replica as well.
>
> I stumbled over a few additional problems:
>
> 1) whenever a user becomes member of a group with +nsuniqueid= in its
> name, the user can no longer login. The reason is that ldb_dn_validate
> doesn't like the + character, thus returns false, which causes
> get_ipa_groupname to return EINVAL, which causes the loop in
> hbac_eval_user_element to abort and return an error.
>
> This seems to be quite draconian. Does it have to be like this? If so it
> would be nice if a clearer error message would be left somewhere more
> obvious than sssd -d 0xffff...

An entry with nsuniqueid is a replication conflict entry. You want to 
resolve this.

See 
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html

> 2) I cannot change ssh keys, neither in the web gui nor on the cli.
>
> # ipa -vv user-mod myuserid --sshpubkey= --all
> ipa: INFO: trying https://xxxxxserver.xxxxx.com/ipa/json
> ipa: INFO: Request: {
>      "id": 0,
>      "method": "ping",
>      "params": [
>          [],
>          {}
>      ]
> }
> ipa: INFO: Response: {
>      "error": null,
>      "id": 0,
>      "principal": "admin at XXXXX.COM",
>      "result": {
>          "messages": [
>              {
>                  "code": 13001,
>                  "message": "API Version number was not sent, forward
> compatibility not guaranteed. Assuming server's API version, 2.114",
>                  "name": "VersionMissing",
>                  "type": "warning"
>              }
>          ],
>          "summary": "IPA server version 4.1.4. API version 2.114"
>      },
>      "version": "4.1.4"
> }
> ipa: INFO: Forwarding 'user_mod' to json server
> 'https://xxxxxserver.xxxxx.com/ipa/json'
> ipa: INFO: Request: {
>      "id": 0,
>      "method": "user_mod",
>      "params": [
>          [
>              "t.sailer"
>          ],
>          {
>              "all": true,
>              "ipasshpubkey": null,
>              "no_members": false,
>              "random": false,
>              "raw": false,
>              "rights": false,
>              "version": "2.114"
>          }
>      ]
> }
> ipa: INFO: Response: {
>      "error": {
>          "code": 4203,
>          "message": "Type or value exists: ",
>          "name": "DatabaseError"
>      },
>      "id": 0,
>      "principal": "admin at XXXXX.COM",
>      "result": null,
>      "version": "4.1.4"
> }
> ipa: ERROR: Type or value exists:
>
> I cannot find any more information in /var/log/httpd/error_log. But I
> can change the SSH keys directly talking to slapd...

Hmm, curious. What is the current state of the entry? The 389-ds access 
log might have more details (though I'm stretching here).

> 3) Is
> [global]
> debug=True
> in /etc/ipa/ipa.conf supposed to change /var/log/httpd/error_log output?
> I cannot see any change...

No, there is no /etc/ipa/ipa.conf.

You can create /etc/ipa/server.conf to only change configuration for the 
server, or /etc/ipa/client.conf to only change configuration for the client.

default.conf is loaded first, then server/client.conf is loaded and 
changes override the default.

rob

More information about the Freeipa-users mailing list