[Freeipa-devel] setting passwords stopped working

Simo Sorce ssorce at redhat.com
Thu Jun 26 20:38:33 UTC 2008 

On Thu, 2008-06-26 at 22:31 +0200, Jan-Frode Myklebust wrote:
> I just did a new install of Fedora9 + ipa-server-1.1.0-3.fc9.ppc, and
> successfully got trough the "ipa-server-install" now.
> 
> And now I get into another issue I also saw the last time I did a fresh
> Fedora9+IPA. Firefox3 refuses to let me access the gui, complaining
> about:
> 
>     sec_error_reused_issuer_and_serial

This make me think you imported/acknowledged a previous SSL certificate
by the same name and FF refuses to use another one that conflicts.
Purge the SSL cert from firefox and retry.

> Last time I had this problem, I wasn't able to get around it on the
> firefox side, so I re-ran ipa-server-install, and got a valid certificat
> on the second run. But this didn't work now that I used
> "ipa-server-install --uninstall" to uninstall it.
> 
> So, anybody have a workaround for this problem ?

Avoid reinstalling everything from scratch, for minor problems, let's
try to see what's wrong and fix it instead :)

> I'm also seeing a few selinux denials (but changed to permissive mode to
> allow them):
> 
> type=1400 audit(1214511568.498:10): avc:  denied  { create } for  pid=4364 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_log_t:s0 tclass=file
> type=1404 audit(1214511588.842:11): enforcing=0 old_enforcing=1 auid=0 ses=2
> type=1400 audit(1214511598.891:12): avc:  denied  { create } for  pid=4621 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_log_t:s0 tclass=file
> 
> And -- the directory server dies when I try my first kinit with password change:
> 
> $ kinit janfrode
> Password for janfrode at TANSO.NET: 
> Password expired.  You must change it now.
> Enter new password: 
> Enter it again: 
> kinit(v5): Password change failed while getting initial credentials
> 
> But I can't find any other errors from the directory server dying than:
> 
> Jun 26 22:23:48 minimac kpasswd[4911]: ldap_result() failed. (-1)
> Jun 26 22:23:48 minimac kpasswd[4911]: Server Error while performing LDAP password change
> 
> And this is with openldap, not mozldap:
> 
> # ldd /usr/sbin/ipa_kpasswd
>     linux-vdso32.so.1 =>  (0x00100000)
>     libldap-2.4.so.2 => /usr/lib/libldap-2.4.so.2 (0x0ff94000)
>     libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x0fed0000)
>     libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x0fe86000)
>     libcom_err.so.2 => /lib/libcom_err.so.2 (0x0fe62000)
>     libc.so.6 => /lib/libc.so.6 (0x0fcae000)
>     liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x0fc7c000)
>     libresolv.so.2 => /lib/libresolv.so.2 (0x0fc39000)
>     libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x0fbfa000)
>     libssl.so.7 => /lib/libssl.so.7 (0x0fb96000)
>     libcrypto.so.7 => /lib/libcrypto.so.7 (0x0f9f7000)
>     libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x0f9cd000)
>     libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x0f9aa000)
>     /lib/ld.so.1 (0x48000000)
>     libdl.so.2 => /lib/libdl.so.2 (0x0f979000)
>     libcrypt.so.1 => /lib/libcrypt.so.1 (0x0f921000)
>     libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x0f8ce000)
>     libz.so.1 => /lib/libz.so.1 (0x0f899000)
>     libselinux.so.1 => /lib/libselinux.so.1 (0x0f848000)

Will try to repro, a stack trace would be extremely useful tho.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list