On Mon, Jun 04, 2012 at 03:32:36PM +0300, Alexander Bokovoy wrote: > On Mon, 04 Jun 2012, Martin Kosek wrote: > >I did another round of testing and this is what I found so far: > > > >1) freeipa.spec.in was missing python-crypto BuildRequires (you fixed > >that) > > > >2) Unit tests need to be updated, currently there is about a dozen test > >case errors, e.g. extra ipakrbprincipalalias attribute in services or > >new ipakrbprincipal objectclass for hosts > Ok, will fix. > > >3) Replication did not work too well for me this time. > >ipa-replica-install reported just one issue during installation process: > > > >2012-06-04T09:42:51Z DEBUG [24/30]: enabling S4U2Proxy delegation > >2012-06-04T09:42:51Z DEBUG args=/usr/bin/ldapmodify -h > >vm-057.idm.lab.bos.redhat.com -v -f /tmp/ tmpifHccf -x -D > >cn=Directory Manager -y /tmp/tmppqaAdV > >2012-06-04T09:42:51Z DEBUG stdout= > >2012-06-04T09:42:51Z DEBUG > >stderr=ldap_initialize( ldap://vm-057.idm.lab.bos.redhat.com ) > >ldapmodify: wrong attributeType at line 5, entry > >"cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm, > >dc=lab,dc=bos,dc=redhat,dc=com" > > > >2012-06-04T09:42:51Z CRITICAL Failed to load replica-s4u2proxy.ldif: > >Command '/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v > >-f /tmp/tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV' > >returned non-zero exit status 247 > Found and fixed. The issue was in not following RFC2849 when specifying > multiple changetype operations, you need to split their definitions by a > single line with '-' on it. > > I squashed the fix back to the original patch. > > >But this may be just a symptom of some bigger issue. After the > >installation finished, DS did not start, it kept reporting Kerberos > >issues: > > > >[04/Jun/2012:05:46:00 -0400] set_krb5_creds - Could not get initial > >credentials for principal > >[ldap/vm-057.idm.lab.bos.redhat....@idm.lab.bos.redhat.com] in keytab > >[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) > >[04/Jun/2012:05:46:00 -0400] - slapd started. Listening on All > >Interfaces port 389 for LDAP requests > >[04/Jun/2012:05:46:00 -0400] - Listening on All Interfaces port 636 for > >LDAPS requests > >[04/Jun/2012:05:46:00 -0400] - Listening > >on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests > >[04/Jun/2012:05:46:00 -0400] slapd_ldap_sasl_interactive_bind - Error: > >could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > >-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > >GSS failure. Minor code may provide more information (Credentials cache > >file '/tmp/krb5cc_498' not found)) errno 0 (Success) > >[04/Jun/2012:05:46:00 -0400] slapi_ldap_bind - Error: could not perform > >interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > >[04/Jun/2012:05:46:00 -0400] NSMMReplicationPlugin - > >agmt="cn=meTovm-125.idm.lab.bos.redhat.com" (vm-125:389): Replication > >bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): > >generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may > >provide more information (Credentials cache file '/tmp/krb5cc_498' not > >found)) > > > >When I run "ipactl restart", dirsrv started and I was able to kinit. > Maybe it is timing issue? > > > >4) Patch "Add separate attribute to store trusted domain SID" still has > >a wrong service part of the principal to be removed (s/ldap/cifs): > > > >+ dn3 = DN(u'cn=ipa-cifs-delegation-targets', > >api.env.container_s4u2proxy, self.suffix) > >+ member_principal3 = "ldap/%(fqdn)s@%(realm)s" % > >dict(fqdn=replica, realm=realm) > >+ > > > >This leaves CIFS entry in the S4U2Proxy configuration even after replica > >uninstallation. > Fixed and squashed back to the original patch. > > >Btw. these are the packages I use: > >389-ds-base-1.2.10.4-2.fc17.x86_64 > >krb5-server-1.10-5.fc17.x86_64 > >samba4-4.0.0-123alpha21.fc17.x86_64 > Same here. For me anything newer 1.2.10.4-2 will blow 389-ds.
I tested your latest tree against w2k8r2 and was able to create an validate the trust. So ACK to the functional part. bye, Sumit > > -- > / Alexander Bokovoy > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
