[Freeipa-users] ipa-client-install certutil failure

Jakub Bittner j.bittner at nbu.cz
Tue Mar 5 15:18:58 UTC 2013 

Dne 5.3.2013 16:06, Rob Crittenden napsal(a):
> Bittner Jakub wrote:
>> On 5.3.2013 14:43, Rob Crittenden wrote:
>>> Jakub Bittner wrote:
>>>> Hello,
>>>>
>>>> I am using IPA version 3.0 on server and if I want to install on 
>>>> ubuntu
>>>> with ipa-client-install certutil in the end this command
>>>> "/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i
>>>> /etc/ipa/ca.crt" fails.
>>>>
>>>> If I try it manually it says:
>>>>
>>>> certutil: function failed: The certificate/key database is in an old,
>>>> unsupported format.
>>>>
>>>> I dont know for what I need nssdb. Is there a way how to recreate this
>>>> nssdb file?
>>>
>>> Is it safe to assume that there is no NSS database in /etc/pki/nssdb
>>> (the certutil error msgs are horrible)? There should be 3 .db files,
>>> keyX.db, certY.db and secmod.db.
>>>
>>> To create an empty one do:
>>>
>>> certutil -N -d /etc/pki/nssdb
>>>
>>> You can set no password on this by pressing ENTER twice at the password
>>> prompts.
>>>
>>> These files are typically root:root mode 644.
>>>
>>> rob
>>>
>>
>> Thank you for reply, I overcome this issue, but I have problem with
>> changing password on Ubuntu. I can log in, I can see GID, UIG and so,
>> but I can not change password.
>
> How are you trying to change the password? What output do you get when 
> it fails?
>
> Is there anything in system logs related to this? /var/log/secure, 
> /var/log/messages.
>
> Does password change work on other clients (e.g. if you have a Fedora 
> client, does that work?)
>
> rob
>


I do this procedure:

passwd
Current Password:
Password change failed. Server message: Password is too short

Password not changed.
passwd: Authentication Token Manipulation Error
passwd: password unchanged


In /var/log/auth.log is:

Mar  5 16:12:56 b125-test-201 passwd[23994]: pam_unix(passwd:chauthtok): 
user "bitj" does not exist in /etc/passwd
Mar  5 16:12:59 b125-test-201 passwd[23994]: pam_unix(passwd:chauthtok): 
user "bitj" does not exist in /etc/passwd
Mar  5 16:12:59 b125-test-201 passwd[23994]: pam_sss(passwd:chauthtok): 
system info: [Generic error (see e-text)]
Mar  5 16:12:59 b125-test-201 passwd[23994]: pam_sss(passwd:chauthtok): 
User info message: Password change failed. Server message: Password is 
too short#012#012Password not changed.
Mar  5 16:12:59 b125-test-201 passwd[23994]: pam_sss(passwd:chauthtok): 
Password change failed for user bitj: 20 (Authentication Token 
Manipulation Error)



in wireshark:

1576    9.952337    ipa.domain.cz    client.domain.cz    KRB5 366    KRB 
Error: KRB5KDC_ERR_PREAUTH_REQUIRED


P.S.
Generic error (see e-text). I dont know what or where the e-text is.


Thank you,
Jakub Bittner

More information about the Freeipa-users mailing list