*Participation Requested*
MicroOS Desktop Use to Help with ALP Feedback
-
 sssd no login after update to 1.12.2-3.11.1
Hi all
Got a few opensuse 13.2 based clients. All of them are set up to use sssd and ldap based login and user managment. Yesterday I wanted to start migrating the lients to Leap. It is recommended to I updated to latest level of 13.2, did that on one machine and thereafter: disaster!, no more user logins were possible anymore!
Code:
systemctl status sssd -l
Could not start TLS encryption. error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (certificate expired)
I verfied for good, the certificate is valid until 2042.
here is my sssd.conf
Code:
[sssd]
config_file_version = 2
services = nss, pam
domains = default
[nss]
filter_groups = root
filter_users = root
[pam]
[domain/default]
id_provider = ldap
chpass_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldap://brutus.k23.lan
enumerate = True
ldap_group_uuid = entryuuid
ldap_user_uuid = entryuuid
ldap_tls_cacert = /etc/ssl/certs/YaST-CA.pem
#ldap_tls_cacertdir = /etc/ssl/certs
cache_credentials = true
I checked for the certificate file /etc/ssl/certs/YaST-CA.pem, its there, readable and as mentioned before valid. Need to mention: the two running machines use the very same YaST-CA.pem, guess that's proof enough it is OK.
I tried to find out about sssd version, 1.12.2-3.4.1 works on two machines not yet updated, the updated machine runs 1.12.2-3.11.1.
I have been digging all over the internet to find a clue, even checked the changelogs in sssd, but maybe I am just looking in the wrong places.
So, I would a ppreciate a bit of help here (the now defunct machine is my wive's, so guess I am under pressure :-))
greez
chris
PS: just found this: https://bugzilla.opensuse.org/show_bug.cgi?id=953929
seems to be my problem, alas: no solution
-
Re: sssd no login after update to 1.12.2-3.11.1
First,
As a general rule of thumb,
I'd say that it'd be a better SOP to upgrade servers before clients, and if necessary implement configurations that provide backwards compatibility when necessary. You'l be working on fewer machines to resolve issues (at least expectedly). Hopefully your LDAP servers are deployed in virtual machines which can greatly ease migration and upgrading issues (rollbacks, testing, etc)
The bug you referenced in interesting...
I'd speculate his issue could possibly be related to a change in security levels, his old certs wouldn't be valid and may need to be regenerated.
I don't know if your situation would be related, but again this is why you should upgrade your Servers first... The upgraded LDAP Domain may be pushing new certs to the clients(especially if there is a compatibility configuration).
In other words, you may also want to research and look for an LDAP upgrade guide for the versions of LDAP you're upgrading from/to (Which wouldn't likely be related to the version of openSUSE specifically) and perhaps the experiences anyone may have posted.
HTH,
TSU
-
Re: sssd no login after update to 1.12.2-3.11.1
Hi Tsu
Thanks for your thoughts. However I guess I need to get this straight: none of the clients and servers in question run Leap so far. They all are on 13.2.
However, I will consider your suggestion to up>grade< the servers first. As a matter of fact, I am already in the progress to do it, got a spare machine for that.
Still, the issue is unresolved: when up>dateing< 13.2 clients from ssd 1.12.2-3.4.1 to 1.12.2-3.11.1 sssd based logins to a 13.2 based ldap server are defunct. That's what I need help for at the moment.
So if there is a brave soul out there to give me a clue, I would really appreciate that.
greez
chris
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
| 
