On 04/08/2015 01:40 PM, Alexander Frolushkin wrote: > > -----Original Message----- > From: Jakub Hrozek [mailto:jhro...@redhat.com] > Sent: Wednesday, April 08, 2015 5:12 PM > To: Alexander Frolushkin (SIB) > Cc: 'Martin Kosek'; freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz > Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 > > On Wed, Apr 08, 2015 at 11:07:25AM +0000, Alexander Frolushkin wrote: >> -----Original Message----- >> From: Martin Kosek [mailto:mko...@redhat.com] >> Sent: Wednesday, April 08, 2015 4:47 PM >> To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Ludwig >> Krispenz; Thierry Bordaz; Jakub Hrozek >> Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 >> >>>> In any case, upgrade from 3.3 to 4.1 should just work, you just need to >>>> have a recent enough RHEL-6 servers - at least RHEL-6.6+z-streams. >>>> >>>> Please note, we currently have a three servers with IPA 4.1.0, and 13 >>>> servers with IPA 3.3.3 working simultaneously. >>>> Also about hbac: >>>> >>>> [hbac_eval_user_element] (0x0080): Parse error on [cn=system: read >>>> replication >>>> agreements+nsuniqueid=..........,cn=permissions,cn=pbac,dc=unix,dc= >>>> agreements+ad, >>>> dc=com] >> >>> CCing Jakub, but this looks like >> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1135433 > >> This is actually https://fedorahosted.org/sssd/ticket/2603 > >> According to the RDN: "agreements+nsuniqueid=" there is a replication >> conflict on the servers. Latest SSSD builds are able to handle those, but >> you should fix the server anyway. > > Thank You! > Conflict already has been resolved: > > # ldapsearch -D "uid=admin,cn=users,cn=accounts,dc=unix,dc=ad,dc=com" -W -b > "nsds5ReplConflict=*" \* nsds5ReplConflict > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <nsds5ReplConflict=*> with scope subtree > # filter: (objectclass=*) > # requesting: * nsds5ReplConflict > # > > # search result > search: 2 > result: 32 No such object > > # numResponses: 1 > > After that, client are able to login via ssh on servers connected to 7.1 > servers, but still no login on client servers connected to 7.0 IPA servers...
Good! Does it only happen for users that have any RBAC role assigned or are non-privileged users able to log in? I suspect you may be hitting https://bugzilla.redhat.com/show_bug.cgi?id=1140888 fixed in RHEL-7.1 DS and IPA. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
