[Freeipa-users] Upgrade of schema has broken permissions and now no one can authenticate if they have certain permissions

Alex Williams alex.williams at brighter-technology.com
Thu Oct 8 13:23:51 UTC 2015


Hi folks,

this one is becoming a bit of a major issue now. We upgraded one of our 
IPA3.0.0 servers to use the new dogtag schema over the last few days, 
then created an IPA4 replica from it successfully, upgraded the schema 
on a few more of the IPA3.0.0 servers and joined them into the mix and 
everything appeared to go ok. Unfortunately, the IPA3 replica schemas 
did not appear to get updated automatically, as the redhat upgrade 
documentation suggests it will, so we had to do them manually. One last 
server needed doing this morning and it was manually updated earlier 
today, a force-sync from one of the other servers was done to ensure it 
was up to date and Immediately after the sync finished, everyone was 
then refused authentication for SSH, logging into the web UI for IPA and 
ultimately, our VPN, which is an OpenVPN server on the IPA realm, using 
PAM to authenticate users. We've narrowed this down to permission issues 
by tailing the /var/log/sssd/sssd_OUR_DOMAIN.log, after increasing 
sssd's debug level. We discovered lines like below on a server we were 
attempting to ssh into:

(Thu Oct 8 13:51:16 2015) [sssd[be[domain-replaced.com]]] 
[hbac_eval_user_element] (0x0080): Parse error on [cn=add 
krbprincipalname to a 
host+nsuniqueid=1e4b0d05-6da311e5-a41fad84-67fe4d65,cn=permissions,cn=pbac,dc=domain-replaced,dc=com]
(Thu Oct 8 14:01:45 2015) [sssd[be[domain-replaced.com]]] 
[hbac_eval_user_element] (0x0080): Parse error on [cn=add sudo 
command+nsuniqueid=1e4b0d0a-6da311e5-a41fad84-67fe4d65,cn=permissions,cn=pbac,dc=domain-replaced,dc=com]

If we remove all of a users roles, that user is able to authenticate and 
the SSH session continues unhindered. Of course a user with no roles, 
therefore no permissions, is not really able to do anything, so we have 
to add permissions back in. Unfortunately, there seems to be rather a 
lot of them that are broken.

Any help would be hugely appreciated, as this was a production upgrade, 
after much planning, which somehow seems to have ended up broken.

Kind Regards

Alex Williams




More information about the Freeipa-users mailing list