[Freeipa-devel] ipa-server-install Unable to set admin password

Rob Crittenden rcritten at redhat.com
Fri Jan 8 13:43:42 UTC 2010 

tatiana philippova wrote:
> Hi Rob,
> many thanks for reply, here is information requested
> 
> On Fri, Jan 8, 2010 at 4:10 AM, Rob Crittenden <rcritten at redhat.com> wrote:
>> tatiana philippova wrote:
>>> Hi , I have an issue with freeipa v 1.9.0.pre1 on Fedora12 (virtual)
>>> ..actually - not just one issue, a couple of them.
>>>
>>> freeipa rpms were built from tarball (downloaded from official site)
>>> ipa-server-1.9.0.pre1-0.fc12.x86_64
>>> ipa-client-1.9.0.pre1-0.fc12.x86_64
>>> ipa-server-selinux-1.9.0.pre1-0.fc12.x86_64
>>> ipa-python-1.9.0.pre1-0.fc12.x86_64
>>> ipa-admintools-1.9.0.pre1-0.fc12.x86_64
>>>
>>>
>>> the first issue appears during server setup:
>>> #ipa-server-install -N
>>> ..
>>> Applying LDAP updates
>>> restarting the directory server
>>> restarting the KDC
>>> Sample zone file for bind has been created in /tmp/sample.zone.xe_hlt.db
>>> Unable to set admin password Command '/usr/lib64/mozldap/ldappasswd -D
>>> cn=Directory Manager -w pass1 -P
>>> /etc/dirsrv/slapd-INTERNAL-MYNET-COM//cert8.db -ZZZ -s pass2
>>> uid=admin,cn=users,cn=accounts,dc=internal,dc=mynet,dc=com' returned
>>> non-zero exit status 1
> also  noticed next in /var/log/dirsrv/slapd-INTERNAL-BULLETIN-NET/errors :
> [08/Jan/2010:10:02:38 +1300] ipa_pwd_extop - krb5_c_string_to_key
> failed [Bad encryption type]
> [08/Jan/2010:10:02:38 +1300] ipa_pwd_extop - key encryption/encoding failed

Well, that explains why the admin password wasn't set. Simo, any thoughts?

ipa_pwd_extop is the 389-ds plugin we use to keep the LDAP password and 
the kerberos principal key in sync.

What version of krb5-server do you have installed? rpm -q krb5-server

>>> ..
>>>
>>> when I start ldappasswd manually with the same parametres  -
>>> ldap_simple_bind: No such object
>> Can you provide a log snippet from the 389ds access log
>> (/var/log/slapd-INTERNAL-MYNET-COM/access) showing these?
> 
> when command manually started:
> /usr/lib64/mozldap/ldappasswd -D cn=Directory Manager -w pass1 -P
> /etc/dirsrv/slapd-INTERNAL-MYNET-COM//cert8.db -ZZZ -s pass2
> uid=admin,cn=users,cn=accounts,dc=internal,dc=mynet,dc=com
> ldap_simple_bind: No such object
> 
> /var/log/dirsrv/slapd-INTERNAL-MYNET-COM/access:
> 
> [08/Jan/2010:10:24:50 +1300] conn=13 fd=69 slot=69 connection from ::1 to ::1
> [08/Jan/2010:10:24:50 +1300] conn=13 op=0 EXT
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [08/Jan/2010:10:24:50 +1300] conn=13 op=0 RESULT err=0 tag=120
> nentries=0 etime=0
> [08/Jan/2010:10:24:50 +1300] conn=13 SSL 128-bit RC4
> [08/Jan/2010:10:24:50 +1300] conn=13 op=1 BIND dn="cn=Directory"
> method=128 version=3
> [08/Jan/2010:10:24:50 +1300] conn=13 op=2 UNBIND
> [08/Jan/2010:10:24:50 +1300] conn=13 op=2 fd=69 closed - U1
> [08/Jan/2010:10:24:51 +1300] conn=13 op=1 RESULT err=32 tag=97
> nentries=0 etime=1

You need to put quotes around "cn=Directory Manager".

> 
>>> output from ldapsearch:
>>>
>>> ldapsearch -x -D "cn=Directory Manager" -w pass1 -b
>>> cn=users,cn=accounts,dc=internal,dc=mynet,dc=com
>>> krbprincipalname=admin krbPrincipalKey
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <cn=users,cn=accounts,dc=internal,dc=mynet,dc=com> with scope
>>> subtree
>>> # filter: krbprincipalname=admin
>>> # requesting: krbPrincipalKey
>>> #
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 1
>> The krbprinicpalname would be admin at INTERNAL.MYNET.COM
> ops, sorry. here is correct output:
> 
> [root at freeipa log]# ldapsearch -x -D "cn=Directory Manager" -w pass1
> -b cn=users,cn=accounts,dc=internal,dc=mynet,dc=com
> krbprincipalname=admin at INTERNAL.MYNET.COM krbPrincipalKey
> # extended LDIF
> #
> # LDAPv3
> # base <cn=users,cn=accounts,dc=internal,dc=mynet,dc=com> with scope subtree
> # filter: krbprincipalname=admin at INTERNAL.MYNET.COM
> # requesting: krbPrincipalKey.
> #
> # admin, users, accounts, internal.MYNET.COM
> dn: uid=admin,cn=users,cn=accounts,dc=internal,dc=mynet,dc=com
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1

Ok, that is about what I would expect since the password setting failed.

> 
> 
> and in /var/log/dirsrv/slapd-INTERNAL-MYNET-COM/access:
> 
> [08/Jan/2010:10:27:14 +1300] conn=15 fd=69 slot=69 connection from
> 127.0.0.1 to 127.0.0.1
> [08/Jan/2010:10:27:14 +1300] conn=15 op=0 BIND dn="cn=Directory
> Manager" method=128 version=3
> [08/Jan/2010:10:27:14 +1300] conn=15 op=0 RESULT err=0 tag=97
> nentries=0 etime=0 dn="cn=directory manager"
> [08/Jan/2010:10:27:14 +1300] conn=15 op=1 SRCH
> base="cn=users,cn=accounts,dc=internal,dc=mynet,dc=com" scope=2
> filter="(krbPrincipalName=admin at INTERNAL.MYNET.COM)"
> attrs="krbPrincipalKey"
> [08/Jan/2010:10:27:14 +1300] conn=15 op=1 RESULT err=0 tag=101
> nentries=1 etime=0
> [08/Jan/2010:10:27:14 +1300] conn=15 op=2 UNBIND
> [08/Jan/2010:10:27:14 +1300] conn=15 op=2 fd=69 closed - U1
> 
>>> the second issue:
>>> The password for this file is in
>>> /etc/dirsrv/slapd-INTERNAL-MYNET-COM/pwdfile.txt
>>>
>>> but in log file
>>> 2010-01-07 21:36:44,054 INFO pk12util: PKCS12 EXPORT SUCCESSFUL
>>> 2010-01-07 21:36:44,103 INFO certutil: Could not find: CA certificate
>>> : security library: bad database.
>> Can you see what certificates exist in the database?
>>
>> certutil -L -d /etc/dirsrv/slapd-INTERNAL-MYNET-COM/
> 
> [root at freeipa log]# certutil -L -d /etc/dirsrv/slapd-INTERNAL-MYNET-COM/
> 
> Certificate Nickname                                     Trust Attributes
> 
> SSL,S/MIME,JAR/XPI
> Server-Cert                                                  u,u,u
> CA certificate                                               CT,,C

Hmm. How about: certutil -L -d /etc/httpd/alias/

thanks

rob

> 
> 
>>> and my password file pwdfile.txt is empty
>> We weren't setting a password on the 389-ds NSS database, this has been
>> changed since the alpha release.
> thanks for this tip
>> rob
>>
>>>
>>> Could somebody kindly help my with these problems?
>>>
>>>
>>>
>>> Many thanks in advance
>>> Tatiana
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
> 
> Kindest regards
> Tatiana

More information about the Freeipa-devel mailing list