[Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04
Petr Vobornik
pvoborni at redhat.com
Wed Jan 11 14:08:28 UTC 2017
On 01/11/2017 01:49 PM, Andy Brittingham wrote:
> Thanks! I will take a look at that.
>
> Andy
Hello Andy and Youenn,
to identify the root cause and potentially prevent it in a future:
Do you know which exact permissions had the replication conflict?
And more importantly how did you upgrade the servers? Was it one at a
time with some delay between upgrades (so that replication can happen).
Or two or more servers more or less at the same time?
>
> On 1/9/17 8:37 AM, Youenn PIOLET wrote:
>> Hey there,
>>
>> I got the same issue after upgrading my servers to 4.4.0
>> The problem comes from duplicate entries in :
>> cn=permissions,cn=pbac,dc=example,dc=com
>>
>> I think FreeIPA upgrade fails to create ACL on pbac specific entries,
>> resulting in a conflict entry creation.
>>
>> The problem is that SSSD on Ubuntu 14.04 is crashing when reading pbac
>> where cn contains symbol "+".
>> You should check if you got these conflict entries in
>> cn=permissions,cn=pbac,dc=example,dc=com and remove them.
>>
>> Ubuntu authentication was working for me directly after the suppression.
>>
>> Regards,
>>
>> --
>> Youenn Piolet
>> piolet.y at gmail.com <mailto:piolet.y at gmail.com>
>> /
>> /
>>
>> 2017-01-09 8:56 GMT+01:00 Jakub Hrozek <jhrozek at redhat.com
>> <mailto:jhrozek at redhat.com>>:
>>
>> On Fri, Jan 06, 2017 at 11:48:07AM -0500, Andy Brittingham wrote:
>> > Sorry for the delay, was doing some troubleshooting.
>> >
>> > Here is what I know now:
>> >
>> > The problem is on Ubuntu hosts using older sssd versions 1.11.8 (Ubuntu
>> > 14.04).
>> >
>> > SSSD versions 1.13.4 (Ubuntu 16.04) and 1.13.3 (CentOS 6.8) both work.
>> >
>> > Users in the admin group can't log into these hosts.
>> >
>> > I created a newadmins group and assigned a new user to it. When I add the
>> > "User Administrator" role the new user can't log into the hosts with older
>> > sssd.
>> >
>> > As soon as I delete the "User Administrator" role, new user has access
>> > again.
>>
>> So is it a role membership or a group membership that makes the
>> difference?
>>
>> >
>> > I've pasted the last bit of logs from a sssd_domain log below. I'd be happy
>> > to forward the entire log, or additional logs if they will be helpful.
>>
>> The log only captures a user lookup, not a login, sorry..
>>
>> (This might be expected if you log in e.g. with an SSH key, in which
>> case journald should be the first thing to look at at least to poinpoint
>> which piece denied access..)
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> <https://www.redhat.com/mailman/listinfo/freeipa-users>
>> Go to http://freeipa.org for more info on the project
>>
>>
>>
>>
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list