[Freeipa-users] ipa-client-install certutil failure

Dmitri Pal dpal at redhat.com
Tue Mar 5 20:12:28 UTC 2013 

On 03/05/2013 10:18 AM, Jakub Bittner wrote:
> Dne 5.3.2013 16:06, Rob Crittenden napsal(a):
>> Bittner Jakub wrote:
>>> On 5.3.2013 14:43, Rob Crittenden wrote:
>>>> Jakub Bittner wrote:
>>>>> Hello,
>>>>>
>>>>> I am using IPA version 3.0 on server and if I want to install on
>>>>> ubuntu
>>>>> with ipa-client-install certutil in the end this command
>>>>> "/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i
>>>>> /etc/ipa/ca.crt" fails.
>>>>>
>>>>> If I try it manually it says:
>>>>>
>>>>> certutil: function failed: The certificate/key database is in an old,
>>>>> unsupported format.
>>>>>
>>>>> I dont know for what I need nssdb. Is there a way how to recreate
>>>>> this
>>>>> nssdb file?
>>>>
>>>> Is it safe to assume that there is no NSS database in /etc/pki/nssdb
>>>> (the certutil error msgs are horrible)? There should be 3 .db files,
>>>> keyX.db, certY.db and secmod.db.
>>>>
>>>> To create an empty one do:
>>>>
>>>> certutil -N -d /etc/pki/nssdb
>>>>
>>>> You can set no password on this by pressing ENTER twice at the
>>>> password
>>>> prompts.
>>>>
>>>> These files are typically root:root mode 644.
>>>>
>>>> rob
>>>>
>>>
>>> Thank you for reply, I overcome this issue, but I have problem with
>>> changing password on Ubuntu. I can log in, I can see GID, UIG and so,
>>> but I can not change password.
>>
>> How are you trying to change the password? What output do you get
>> when it fails?
>>
>> Is there anything in system logs related to this? /var/log/secure,
>> /var/log/messages.
>>
>> Does password change work on other clients (e.g. if you have a Fedora
>> client, does that work?)
>>
>> rob
>>
>
>
> I do this procedure:
>
> passwd
> Current Password:
> Password change failed. Server message: Password is too short
>
> Password not changed.
> passwd: Authentication Token Manipulation Error
> passwd: password unchanged
>
>
> In /var/log/auth.log is:
>
> Mar  5 16:12:56 b125-test-201 passwd[23994]:
> pam_unix(passwd:chauthtok): user "bitj" does not exist in /etc/passwd
> Mar  5 16:12:59 b125-test-201 passwd[23994]:
> pam_unix(passwd:chauthtok): user "bitj" does not exist in /etc/passwd
> Mar  5 16:12:59 b125-test-201 passwd[23994]:
> pam_sss(passwd:chauthtok): system info: [Generic error (see e-text)]
> Mar  5 16:12:59 b125-test-201 passwd[23994]:
> pam_sss(passwd:chauthtok): User info message: Password change failed.
> Server message: Password is too short#012#012Password not changed.
> Mar  5 16:12:59 b125-test-201 passwd[23994]:
> pam_sss(passwd:chauthtok): Password change failed for user bitj: 20
> (Authentication Token Manipulation Error)
>

It seems that the password you are trying to use does not meet the
minimal password length requirements set on the server.

>
>
> in wireshark:
>
> 1576    9.952337    ipa.domain.cz    client.domain.cz    KRB5 366   
> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
>
>
> P.S.
> Generic error (see e-text). I dont know what or where the e-text is.
>
>
> Thank you,
> Jakub Bittner
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list