Results 1 to 3 of 3

Thread: sssd no login after update to 1.12.2-3.11.1

  1. #1

    Post sssd no login after update to 1.12.2-3.11.1

    Hi all

    Got a few opensuse 13.2 based clients. All of them are set up to use sssd and ldap based login and user managment. Yesterday I wanted to start migrating the lients to Leap. It is recommended to I updated to latest level of 13.2, did that on one machine and thereafter: disaster!, no more user logins were possible anymore!

    Code:
    systemctl status sssd -l 
    Could not start TLS encryption. error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (certificate expired)
    I verfied for good, the certificate is valid until 2042.

    here is my sssd.conf

    Code:
    [sssd]
    config_file_version = 2
    services = nss, pam
    domains = default
    
    [nss]
    filter_groups = root
    filter_users = root
    
    [pam]
    [domain/default]
    id_provider = ldap
    chpass_provider = ldap
    auth_provider = ldap
    ldap_schema = rfc2307bis
    ldap_uri = ldap://brutus.k23.lan
    enumerate = True                                                                                                                               
    ldap_group_uuid = entryuuid                                                                                                                    
    ldap_user_uuid = entryuuid                                                                                                                     
    ldap_tls_cacert = /etc/ssl/certs/YaST-CA.pem                                                                                                   
    #ldap_tls_cacertdir = /etc/ssl/certs                                                                                                            
    cache_credentials = true
    I checked for the certificate file /etc/ssl/certs/YaST-CA.pem, its there, readable and as mentioned before valid. Need to mention: the two running machines use the very same YaST-CA.pem, guess that's proof enough it is OK.

    I tried to find out about sssd version, 1.12.2-3.4.1 works on two machines not yet updated, the updated machine runs 1.12.2-3.11.1.

    I have been digging all over the internet to find a clue, even checked the changelogs in sssd, but maybe I am just looking in the wrong places.

    So, I would a ppreciate a bit of help here (the now defunct machine is my wive's, so guess I am under pressure :-))

    greez
    chris

    PS: just found this: https://bugzilla.opensuse.org/show_bug.cgi?id=953929
    seems to be my problem, alas: no solution

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: sssd no login after update to 1.12.2-3.11.1

    First,
    As a general rule of thumb,
    I'd say that it'd be a better SOP to upgrade servers before clients, and if necessary implement configurations that provide backwards compatibility when necessary. You'l be working on fewer machines to resolve issues (at least expectedly). Hopefully your LDAP servers are deployed in virtual machines which can greatly ease migration and upgrading issues (rollbacks, testing, etc)

    The bug you referenced in interesting...
    I'd speculate his issue could possibly be related to a change in security levels, his old certs wouldn't be valid and may need to be regenerated.

    I don't know if your situation would be related, but again this is why you should upgrade your Servers first... The upgraded LDAP Domain may be pushing new certs to the clients(especially if there is a compatibility configuration).

    In other words, you may also want to research and look for an LDAP upgrade guide for the versions of LDAP you're upgrading from/to (Which wouldn't likely be related to the version of openSUSE specifically) and perhaps the experiences anyone may have posted.

    HTH,
    TSU

  3. #3

    Default Re: sssd no login after update to 1.12.2-3.11.1

    Hi Tsu

    Thanks for your thoughts. However I guess I need to get this straight: none of the clients and servers in question run Leap so far. They all are on 13.2.

    However, I will consider your suggestion to up>grade< the servers first. As a matter of fact, I am already in the progress to do it, got a spare machine for that.

    Still, the issue is unresolved: when up>dateing< 13.2 clients from ssd 1.12.2-3.4.1 to 1.12.2-3.11.1 sssd based logins to a 13.2 based ldap server are defunct. That's what I need help for at the moment.

    So if there is a brave soul out there to give me a clue, I would really appreciate that.

    greez

    chris

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •