[Freeipa-users] Upgraded server from Fedora 13 to 14: Cannot reset user passwords

[Simo Sorce]

On Fri, 17 Dec 2010 10:47:06 -0500
Dan Scott <danieljamesscott at gmail.com> wrote:

> Hi,
> 
> I have recently upgraded one of our server from Fedora 13 to 14.
> Recently, I noticed that I cannot reset user passwords any more:
> 
> A database error occurred: Operations error: Failed to update password
> 
> The log file contains the following entries:
> [16/Dec/2010:10:47:08 -0500] ipa_pwd_extop - encoding asn1
> EncryptionKey failed [16/Dec/2010:10:47:08 -0500] ipa_pwd_extop -
> encoding asn1 KrbSalt failed [16/Dec/2010:10:47:08 -0500]
> ipa_pwd_extop - key encryption/encoding failed
> 
> Packages:
> 389-ds-base-1.2.7.4-1.fc14.x86_64
> ipa-server-1.2.2-5.fc14.x86_64
> 
> This appears similar to a bug reported a couple of weeks ago:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=658832
> 
> Although the above report is related to ipa-getkeytab rather than
> ipa-passwd. If they are the same issue, then this bug is more serious
> since I can't create new users or allow password changes.

Yes it is almost certainly the same issue, as the ipa-pwd-exop plugin
handles all password changes and keytab issuance.

> Does anyone have a status on this?

We have a patch for the v2 version of the plugins but haven't yet found
the time to backport to 1.2.2.

A workaround is to downgrade DS to a version not compiled with openldap
libs (or recompile it with mozldap).

If you look in this list archives you will also find that Thomas Sailer
has created a backport of the patch and posted a srpm on his fedora
people page.

We hope to address the issue as soon as possible, but we are short on
time in this period.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York