[Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches
Thomas Sailer
t.sailer at alumni.ethz.ch
Thu Jun 4 15:48:10 UTC 2015
On 06/04/2015 04:33 PM, Rob Crittenden wrote:
> Thomas Sailer wrote:
>> I have now managed to upgrade the replica as well.
>>
>> I stumbled over a few additional problems:
>>
>> 1) whenever a user becomes member of a group with +nsuniqueid= in its
>> name, the user can no longer login. The reason is that ldb_dn_validate
>> doesn't like the + character, thus returns false, which causes
>> get_ipa_groupname to return EINVAL, which causes the loop in
>> hbac_eval_user_element to abort and return an error.
>>
>> This seems to be quite draconian. Does it have to be like this? If so it
>> would be nice if a clearer error message would be left somewhere more
>> obvious than sssd -d 0xffff...
>
> An entry with nsuniqueid is a replication conflict entry. You want to
> resolve this.
>
> See
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
Yes I know, and I have already fixed that.
The question is is it justified if the presence of such a group breaks
login. If yes, shouldn't there be a more obvious error message than ssh
telling you that login failed for UNKNOWN reasons...
If login would still work, it would buy you time for fixing the problem.
The way it is now, you have people filling your office complaining login
doesn't work anymore while you frantically try to figure out why.
My biggest wish for IPA is for it to become more robust. It consists of
many software components with complex interdependencies, so some
fragility is to be expected. But still, it would be nice if it was as
robust as possible and if it fails that it fails in more obvious ways...
>
>> 2) I cannot change ssh keys, neither in the web gui nor on the cli.
>>
>> # ipa -vv user-mod myuserid --sshpubkey= --all
>> ipa: INFO: trying https://xxxxxserver.xxxxx.com/ipa/json
>> ipa: INFO: Request: {
>> "id": 0,
>> "method": "ping",
>> "params": [
>> [],
>> {}
>> ]
>> }
>> ipa: INFO: Response: {
>> "error": null,
>> "id": 0,
>> "principal": "admin at XXXXX.COM",
>> "result": {
>> "messages": [
>> {
>> "code": 13001,
>> "message": "API Version number was not sent, forward
>> compatibility not guaranteed. Assuming server's API version, 2.114",
>> "name": "VersionMissing",
>> "type": "warning"
>> }
>> ],
>> "summary": "IPA server version 4.1.4. API version 2.114"
>> },
>> "version": "4.1.4"
>> }
>> ipa: INFO: Forwarding 'user_mod' to json server
>> 'https://xxxxxserver.xxxxx.com/ipa/json'
>> ipa: INFO: Request: {
>> "id": 0,
>> "method": "user_mod",
>> "params": [
>> [
>> "t.sailer"
>> ],
>> {
>> "all": true,
>> "ipasshpubkey": null,
>> "no_members": false,
>> "random": false,
>> "raw": false,
>> "rights": false,
>> "version": "2.114"
>> }
>> ]
>> }
>> ipa: INFO: Response: {
>> "error": {
>> "code": 4203,
>> "message": "Type or value exists: ",
>> "name": "DatabaseError"
>> },
>> "id": 0,
>> "principal": "admin at XXXXX.COM",
>> "result": null,
>> "version": "4.1.4"
>> }
>> ipa: ERROR: Type or value exists:
>>
>> I cannot find any more information in /var/log/httpd/error_log. But I
>> can change the SSH keys directly talking to slapd...
>
> Hmm, curious. What is the current state of the entry? The 389-ds
> access log might have more details (though I'm stretching here).
[04/Jun/2015:17:43:21 +0200] conn=3391 fd=70 slot=70 connection from
a.b.c.d to a.b.c.d
[04/Jun/2015:17:43:21 +0200] conn=3391 op=0 BIND dn="" method=sasl
version=3 mech=GSSAPI
[04/Jun/2015:17:43:21 +0200] conn=3391 op=1 BIND dn="" method=sasl
version=3 mech=GSSAPI
[04/Jun/2015:17:43:21 +0200] conn=3391 op=0 RESULT err=14 tag=97
nentries=0 etime=0, SASL bind in progress
[04/Jun/2015:17:43:21 +0200] conn=3391 op=1 RESULT err=14 tag=97
nentries=0 etime=0, SASL bind in progress
[04/Jun/2015:17:43:21 +0200] conn=3391 op=2 BIND dn="" method=sasl
version=3 mech=GSSAPI
[04/Jun/2015:17:43:21 +0200] conn=3391 op=2 RESULT err=0 tag=97
nentries=0 etime=0 dn="uid=t.sailer,cn=users,cn=accounts,dc=xxxxx,dc=com"
[04/Jun/2015:17:43:21 +0200] conn=3391 op=3 SRCH
base="cn=ipaconfig,cn=etc,dc=xxxxx,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL
[04/Jun/2015:17:43:21 +0200] conn=3391 op=3 RESULT err=0 tag=101
nentries=1 etime=0
[04/Jun/2015:17:43:21 +0200] conn=3391 op=4 SRCH
base="uid=t.sailer,cn=users,cn=accounts,dc=xxxxx,dc=com" scope=0
filter="(objectClass=*)" attrs="objectClass"
[04/Jun/2015:17:43:21 +0200] conn=3391 op=4 RESULT err=0 tag=101
nentries=1 etime=0
[04/Jun/2015:17:43:21 +0200] conn=3391 op=5 SRCH
base="uid=t.sailer,cn=users,cn=accounts,dc=xxxxx,dc=com" scope=0
filter="(objectClass=*)" attrs="objectClass ipaSshPubKey"
[04/Jun/2015:17:43:21 +0200] conn=3391 op=5 RESULT err=0 tag=101
nentries=1 etime=0
[04/Jun/2015:17:43:21 +0200] conn=3391 op=6 MOD
dn="uid=t.sailer,cn=users,cn=accounts,dc=xxxxx,dc=com"
[04/Jun/2015:17:43:22 +0200] conn=3391 op=6 RESULT err=20 tag=103
nentries=0 etime=1 csn=557072af000100040000
[04/Jun/2015:17:43:22 +0200] conn=3391 op=7 UNBIND
[04/Jun/2015:17:43:22 +0200] conn=3391 op=7 fd=70 closed - U1
Thanks!
Thomas
More information about the Freeipa-users
mailing list