[Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI
Jakub Hrozek
jhrozek at redhat.com
Tue Nov 9 20:14:38 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/09/2010 07:26 PM, Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Jakub Hrozek wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> (resending to the list, I accidentally replied to Rob only before..)
>>>
>>> On 11/02/2010 04:24 AM, Rob Crittenden wrote:
>>>> Jakub Hrozek wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/154
>>>>>
>>>>> The second patch removes the /ipatest section that has been commented
>>>>> out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore
>>>>> :-)
>>>>
>>>> Migration doesn't seem to be working. The migration page itself
>>>> comes up
>>>> fine and prompts for data but when I enter the password of a migrated
>>>> user I don't seem to be getting valid kerberos keys. kinit doesn't work
>>>> in any case. It could also be that I'm tired. Does a migrated account
>>>> work for you?
>>>>
>>>
>>> It does for me -- or at least I think it's working. This is how I
>>> tested:
>>> 1) migrate users from LDAP using the migrate-ds plugin.
>>> 2) try kinit - preauth will fail
>>> 3) go to the migration page, enter username/password This redirects me
>>> to the ui page if the credentials are correct.
>>> 4) kinit for the user works now
>>>
>>> This is on the current master + the two patches under review, on a F13
>>> host migrating from 389 DS on another F13 machine.
>>
>> I still can't get this to work on my F12 machine. The LDAP password is
>> ok, I confirmed that with ldapsearch.
>>
>> My process is as yours. I get redirected to the UI page which fails
>> because I haven't done a kinit yet. I go do the kinit and that fails.
>>
>> The KDC is logging:
>>
>> Nov 08 15:48:48 panther.example.com krb5kdc[23964](info): AS_REQ (7
>> etypes {18 17 16 23 1 3 2}) 192.168.166.34: NEEDED_PREAUTH:
>> tuser2 at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional
>> pre-authentication required
>> Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): preauth
>> (timestamp) verify failure: Decrypt integrity check failed
>> Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): AS_REQ (7
>> etypes {18 17 16 23 1 3 2}) 192.168.166.34: PREAUTH_FAILED:
>> tuser2 at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Decrypt integrity
>> check failed
>>
>> I think the timestamp part is bogus, I think this just means the
>> password is bad.
>>
>> I noticed that krbPrincipalKey is getting migrated as well. If I delete
>> this before trying the migration the password works.
>>
>> I find it unlikely that this is related to your mod_wsgi conversion so
>> I'm going to open a separate ticket on that and ack your changes.
>>
>> ACK
>>
>> rob
>
> pushed to master
Thanks! Do you think it makes sense to also review and potentially push
the second patch in the original thread?
(jhrozek-freeipa-0003-Remove-some-more-mod_python-references.patch)
Jakub
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkzZq6sACgkQHsardTLnvCW2MQCgypQe6l8dLOt/mVzVNJ7gNg2Q
U2MAnA6KjZbUykGrOEf9MO8qWWqilVW9
=igLu
-----END PGP SIGNATURE-----
More information about the Freeipa-devel
mailing list