[Freeipa-devel] setting passwords stopped working
Simo Sorce
ssorce at redhat.com
Thu Jun 26 20:38:33 UTC 2008
On Thu, 2008-06-26 at 22:31 +0200, Jan-Frode Myklebust wrote:
> I just did a new install of Fedora9 + ipa-server-1.1.0-3.fc9.ppc, and
> successfully got trough the "ipa-server-install" now.
>
> And now I get into another issue I also saw the last time I did a fresh
> Fedora9+IPA. Firefox3 refuses to let me access the gui, complaining
> about:
>
> sec_error_reused_issuer_and_serial
This make me think you imported/acknowledged a previous SSL certificate
by the same name and FF refuses to use another one that conflicts.
Purge the SSL cert from firefox and retry.
> Last time I had this problem, I wasn't able to get around it on the
> firefox side, so I re-ran ipa-server-install, and got a valid certificat
> on the second run. But this didn't work now that I used
> "ipa-server-install --uninstall" to uninstall it.
>
> So, anybody have a workaround for this problem ?
Avoid reinstalling everything from scratch, for minor problems, let's
try to see what's wrong and fix it instead :)
> I'm also seeing a few selinux denials (but changed to permissive mode to
> allow them):
>
> type=1400 audit(1214511568.498:10): avc: denied { create } for pid=4364 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_log_t:s0 tclass=file
> type=1404 audit(1214511588.842:11): enforcing=0 old_enforcing=1 auid=0 ses=2
> type=1400 audit(1214511598.891:12): avc: denied { create } for pid=4621 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_log_t:s0 tclass=file
>
> And -- the directory server dies when I try my first kinit with password change:
>
> $ kinit janfrode
> Password for janfrode at TANSO.NET:
> Password expired. You must change it now.
> Enter new password:
> Enter it again:
> kinit(v5): Password change failed while getting initial credentials
>
> But I can't find any other errors from the directory server dying than:
>
> Jun 26 22:23:48 minimac kpasswd[4911]: ldap_result() failed. (-1)
> Jun 26 22:23:48 minimac kpasswd[4911]: Server Error while performing LDAP password change
>
> And this is with openldap, not mozldap:
>
> # ldd /usr/sbin/ipa_kpasswd
> linux-vdso32.so.1 => (0x00100000)
> libldap-2.4.so.2 => /usr/lib/libldap-2.4.so.2 (0x0ff94000)
> libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x0fed0000)
> libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x0fe86000)
> libcom_err.so.2 => /lib/libcom_err.so.2 (0x0fe62000)
> libc.so.6 => /lib/libc.so.6 (0x0fcae000)
> liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x0fc7c000)
> libresolv.so.2 => /lib/libresolv.so.2 (0x0fc39000)
> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x0fbfa000)
> libssl.so.7 => /lib/libssl.so.7 (0x0fb96000)
> libcrypto.so.7 => /lib/libcrypto.so.7 (0x0f9f7000)
> libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x0f9cd000)
> libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x0f9aa000)
> /lib/ld.so.1 (0x48000000)
> libdl.so.2 => /lib/libdl.so.2 (0x0f979000)
> libcrypt.so.1 => /lib/libcrypt.so.1 (0x0f921000)
> libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x0f8ce000)
> libz.so.1 => /lib/libz.so.1 (0x0f899000)
> libselinux.so.1 => /lib/libselinux.so.1 (0x0f848000)
Will try to repro, a stack trace would be extremely useful tho.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list