[Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI

Rob Crittenden rcritten at redhat.com
Wed Nov 10 22:38:47 UTC 2010


Jakub Hrozek wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/09/2010 07:26 PM, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Jakub Hrozek wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> (resending to the list, I accidentally replied to Rob only before..)
>>>>
>>>> On 11/02/2010 04:24 AM, Rob Crittenden wrote:
>>>>> Jakub Hrozek wrote:
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA1
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/154
>>>>>>
>>>>>> The second patch removes the /ipatest section that has been commented
>>>>>> out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore
>>>>>> :-)
>>>>>
>>>>> Migration doesn't seem to be working. The migration page itself
>>>>> comes up
>>>>> fine and prompts for data but when I enter the password of a migrated
>>>>> user I don't seem to be getting valid kerberos keys. kinit doesn't work
>>>>> in any case. It could also be that I'm tired. Does a migrated account
>>>>> work for you?
>>>>>
>>>>
>>>> It does for me -- or at least I think it's working. This is how I
>>>> tested:
>>>> 1) migrate users from LDAP using the migrate-ds plugin.
>>>> 2) try kinit - preauth will fail
>>>> 3) go to the migration page, enter username/password This redirects me
>>>> to the ui page if the credentials are correct.
>>>> 4) kinit for the user works now
>>>>
>>>> This is on the current master + the two patches under review, on a F13
>>>> host migrating from 389 DS on another F13 machine.
>>>
>>> I still can't get this to work on my F12 machine. The LDAP password is
>>> ok, I confirmed that with ldapsearch.
>>>
>>> My process is as yours. I get redirected to the UI page which fails
>>> because I haven't done a kinit yet. I go do the kinit and that fails.
>>>
>>> The KDC is logging:
>>>
>>> Nov 08 15:48:48 panther.example.com krb5kdc[23964](info): AS_REQ (7
>>> etypes {18 17 16 23 1 3 2}) 192.168.166.34: NEEDED_PREAUTH:
>>> tuser2 at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional
>>> pre-authentication required
>>> Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): preauth
>>> (timestamp) verify failure: Decrypt integrity check failed
>>> Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): AS_REQ (7
>>> etypes {18 17 16 23 1 3 2}) 192.168.166.34: PREAUTH_FAILED:
>>> tuser2 at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Decrypt integrity
>>> check failed
>>>
>>> I think the timestamp part is bogus, I think this just means the
>>> password is bad.
>>>
>>> I noticed that krbPrincipalKey is getting migrated as well. If I delete
>>> this before trying the migration the password works.
>>>
>>> I find it unlikely that this is related to your mod_wsgi conversion so
>>> I'm going to open a separate ticket on that and ack your changes.
>>>
>>> ACK
>>>
>>> rob
>>
>> pushed to master
>
> Thanks! Do you think it makes sense to also review and potentially push
> the second patch in the original thread?
> (jhrozek-freeipa-0003-Remove-some-more-mod_python-references.patch)

Sorry, I knew it was there, missed it when I was pushing.

ack and pushed to master




More information about the Freeipa-devel mailing list