[Freeipa-devel] setting passwords stopped working
Jan-Frode Myklebust
janfrode at tanso.net
Thu Jun 26 20:31:06 UTC 2008
I just did a new install of Fedora9 + ipa-server-1.1.0-3.fc9.ppc, and
successfully got trough the "ipa-server-install" now.
And now I get into another issue I also saw the last time I did a fresh
Fedora9+IPA. Firefox3 refuses to let me access the gui, complaining
about:
sec_error_reused_issuer_and_serial
Last time I had this problem, I wasn't able to get around it on the
firefox side, so I re-ran ipa-server-install, and got a valid certificat
on the second run. But this didn't work now that I used
"ipa-server-install --uninstall" to uninstall it.
So, anybody have a workaround for this problem ?
I'm also seeing a few selinux denials (but changed to permissive mode to
allow them):
type=1400 audit(1214511568.498:10): avc: denied { create } for pid=4364 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_log_t:s0 tclass=file
type=1404 audit(1214511588.842:11): enforcing=0 old_enforcing=1 auid=0 ses=2
type=1400 audit(1214511598.891:12): avc: denied { create } for pid=4621 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_log_t:s0 tclass=file
And -- the directory server dies when I try my first kinit with password change:
$ kinit janfrode
Password for janfrode at TANSO.NET:
Password expired. You must change it now.
Enter new password:
Enter it again:
kinit(v5): Password change failed while getting initial credentials
But I can't find any other errors from the directory server dying than:
Jun 26 22:23:48 minimac kpasswd[4911]: ldap_result() failed. (-1)
Jun 26 22:23:48 minimac kpasswd[4911]: Server Error while performing LDAP password change
And this is with openldap, not mozldap:
# ldd /usr/sbin/ipa_kpasswd
linux-vdso32.so.1 => (0x00100000)
libldap-2.4.so.2 => /usr/lib/libldap-2.4.so.2 (0x0ff94000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x0fed0000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x0fe86000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x0fe62000)
libc.so.6 => /lib/libc.so.6 (0x0fcae000)
liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x0fc7c000)
libresolv.so.2 => /lib/libresolv.so.2 (0x0fc39000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x0fbfa000)
libssl.so.7 => /lib/libssl.so.7 (0x0fb96000)
libcrypto.so.7 => /lib/libcrypto.so.7 (0x0f9f7000)
libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x0f9cd000)
libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x0f9aa000)
/lib/ld.so.1 (0x48000000)
libdl.so.2 => /lib/libdl.so.2 (0x0f979000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x0f921000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x0f8ce000)
libz.so.1 => /lib/libz.so.1 (0x0f899000)
libselinux.so.1 => /lib/libselinux.so.1 (0x0f848000)
-jf
More information about the Freeipa-devel
mailing list