[Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI
Rob Crittenden
rcritten at redhat.com
Tue Nov 9 18:26:08 UTC 2010
Rob Crittenden wrote:
> Jakub Hrozek wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> (resending to the list, I accidentally replied to Rob only before..)
>>
>> On 11/02/2010 04:24 AM, Rob Crittenden wrote:
>>> Jakub Hrozek wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/154
>>>>
>>>> The second patch removes the /ipatest section that has been commented
>>>> out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore
>>>> :-)
>>>
>>> Migration doesn't seem to be working. The migration page itself comes up
>>> fine and prompts for data but when I enter the password of a migrated
>>> user I don't seem to be getting valid kerberos keys. kinit doesn't work
>>> in any case. It could also be that I'm tired. Does a migrated account
>>> work for you?
>>>
>>
>> It does for me -- or at least I think it's working. This is how I tested:
>> 1) migrate users from LDAP using the migrate-ds plugin.
>> 2) try kinit - preauth will fail
>> 3) go to the migration page, enter username/password This redirects me
>> to the ui page if the credentials are correct.
>> 4) kinit for the user works now
>>
>> This is on the current master + the two patches under review, on a F13
>> host migrating from 389 DS on another F13 machine.
>
> I still can't get this to work on my F12 machine. The LDAP password is
> ok, I confirmed that with ldapsearch.
>
> My process is as yours. I get redirected to the UI page which fails
> because I haven't done a kinit yet. I go do the kinit and that fails.
>
> The KDC is logging:
>
> Nov 08 15:48:48 panther.example.com krb5kdc[23964](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 192.168.166.34: NEEDED_PREAUTH:
> tuser2 at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional
> pre-authentication required
> Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): preauth
> (timestamp) verify failure: Decrypt integrity check failed
> Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 192.168.166.34: PREAUTH_FAILED:
> tuser2 at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Decrypt integrity
> check failed
>
> I think the timestamp part is bogus, I think this just means the
> password is bad.
>
> I noticed that krbPrincipalKey is getting migrated as well. If I delete
> this before trying the migration the password works.
>
> I find it unlikely that this is related to your mod_wsgi conversion so
> I'm going to open a separate ticket on that and ack your changes.
>
> ACK
>
> rob
pushed to master
More information about the Freeipa-devel
mailing list