[Freeipa-devel] setting passwords stopped working

Jan-Frode Myklebust janfrode at tanso.net
Thu Jun 26 20:31:06 UTC 2008 

I just did a new install of Fedora9 + ipa-server-1.1.0-3.fc9.ppc, and
successfully got trough the "ipa-server-install" now.

And now I get into another issue I also saw the last time I did a fresh
Fedora9+IPA. Firefox3 refuses to let me access the gui, complaining
about:

    sec_error_reused_issuer_and_serial

Last time I had this problem, I wasn't able to get around it on the
firefox side, so I re-ran ipa-server-install, and got a valid certificat
on the second run. But this didn't work now that I used
"ipa-server-install --uninstall" to uninstall it.

So, anybody have a workaround for this problem ?

I'm also seeing a few selinux denials (but changed to permissive mode to
allow them):

type=1400 audit(1214511568.498:10): avc:  denied  { create } for  pid=4364 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_log_t:s0 tclass=file
type=1404 audit(1214511588.842:11): enforcing=0 old_enforcing=1 auid=0 ses=2
type=1400 audit(1214511598.891:12): avc:  denied  { create } for  pid=4621 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_log_t:s0 tclass=file

And -- the directory server dies when I try my first kinit with password change:

$ kinit janfrode
Password for janfrode at TANSO.NET: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
kinit(v5): Password change failed while getting initial credentials

But I can't find any other errors from the directory server dying than:

Jun 26 22:23:48 minimac kpasswd[4911]: ldap_result() failed. (-1)
Jun 26 22:23:48 minimac kpasswd[4911]: Server Error while performing LDAP password change

And this is with openldap, not mozldap:

# ldd /usr/sbin/ipa_kpasswd
    linux-vdso32.so.1 =>  (0x00100000)
    libldap-2.4.so.2 => /usr/lib/libldap-2.4.so.2 (0x0ff94000)
    libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x0fed0000)
    libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x0fe86000)
    libcom_err.so.2 => /lib/libcom_err.so.2 (0x0fe62000)
    libc.so.6 => /lib/libc.so.6 (0x0fcae000)
    liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x0fc7c000)
    libresolv.so.2 => /lib/libresolv.so.2 (0x0fc39000)
    libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x0fbfa000)
    libssl.so.7 => /lib/libssl.so.7 (0x0fb96000)
    libcrypto.so.7 => /lib/libcrypto.so.7 (0x0f9f7000)
    libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x0f9cd000)
    libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x0f9aa000)
    /lib/ld.so.1 (0x48000000)
    libdl.so.2 => /lib/libdl.so.2 (0x0f979000)
    libcrypt.so.1 => /lib/libcrypt.so.1 (0x0f921000)
    libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x0f8ce000)
    libz.so.1 => /lib/libz.so.1 (0x0f899000)
    libselinux.so.1 => /lib/libselinux.so.1 (0x0f848000)



  -jf

More information about the Freeipa-devel mailing list