[Freeipa-users] Upgrade of schema has broken permissions and now no one can authenticate if they have certain permissions
Martin Basti
mbasti at redhat.com
Thu Oct 8 13:29:22 UTC 2015
On 10/08/2015 03:23 PM, Alex Williams wrote:
> Hi folks,
>
> this one is becoming a bit of a major issue now. We upgraded one of
> our IPA3.0.0 servers to use the new dogtag schema over the last few
> days, then created an IPA4 replica from it successfully, upgraded the
> schema on a few more of the IPA3.0.0 servers and joined them into the
> mix and everything appeared to go ok. Unfortunately, the IPA3 replica
> schemas did not appear to get updated automatically, as the redhat
> upgrade documentation suggests it will, so we had to do them manually.
> One last server needed doing this morning and it was manually updated
> earlier today, a force-sync from one of the other servers was done to
> ensure it was up to date and Immediately after the sync finished,
> everyone was then refused authentication for SSH, logging into the web
> UI for IPA and ultimately, our VPN, which is an OpenVPN server on the
> IPA realm, using PAM to authenticate users. We've narrowed this down
> to permission issues by tailing the /var/log/sssd/sssd_OUR_DOMAIN.log,
> after increasing sssd's debug level. We discovered lines like below on
> a server we were attempting to ssh into:
>
> (Thu Oct 8 13:51:16 2015) [sssd[be[domain-replaced.com]]]
> [hbac_eval_user_element] (0x0080): Parse error on [cn=add
> krbprincipalname to a
> host+nsuniqueid=1e4b0d05-6da311e5-a41fad84-67fe4d65,cn=permissions,cn=pbac,dc=domain-replaced,dc=com]
> (Thu Oct 8 14:01:45 2015) [sssd[be[domain-replaced.com]]]
> [hbac_eval_user_element] (0x0080): Parse error on [cn=add sudo
> command+nsuniqueid=1e4b0d0a-6da311e5-a41fad84-67fe4d65,cn=permissions,cn=pbac,dc=domain-replaced,dc=com]
IMHO the entries above have replication conflict
Please follow:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
Martin
>
> If we remove all of a users roles, that user is able to authenticate
> and the SSH session continues unhindered. Of course a user with no
> roles, therefore no permissions, is not really able to do anything, so
> we have to add permissions back in. Unfortunately, there seems to be
> rather a lot of them that are broken.
>
> Any help would be hugely appreciated, as this was a production
> upgrade, after much planning, which somehow seems to have ended up
> broken.
>
> Kind Regards
>
> Alex Williams
>
More information about the Freeipa-users
mailing list