[Freeipa-users] ipa-replica-prepare error
Orion Poplawski
orion at cora.nwra.com
Thu Jul 30 15:28:38 UTC 2015
On 07/28/2015 11:09 PM, Jan Cholasta wrote:
> Dne 20.7.2015 v 19:52 Orion Poplawski napsal(a):
>> On 07/20/2015 12:57 AM, Jan Cholasta wrote:
>>> Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a):
>>>> On 07/14/2015 11:53 PM, Jan Cholasta wrote:
>>>>>
>>>>> # ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
>>>>> --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX
>>>>
>>>> Directory Manager (existing master) password:
>>>>
>>>> (SEC_ERROR_LIBRARY_FAILURE) security library failure.
I was able to debug this in gdb and tracked it down to a low entropy
condition. Details noted in https://fedorahosted.org/freeipa/ticket/5117.
Looks like prng_instantiate is being called 2-3 times and there just isn't
enough entropy:
Breakpoint 1, prng_instantiate (rng=0x7fffe5f9d3a0 <theGlobalRng>,
bytes=bytes at entry=0x7fffffffc220 "\304(\336\350F8\375㨟\177\325\017+\302
\230\"e\215\bf\201Rw;\300\260\330\366\315\342\235\034]\374J\324&\263",
len=110) at drbg.c:160
160 if (len < PRNG_SEEDLEN) {
1: len = 110
(gdb) c
Continuing.
Breakpoint 1, prng_instantiate (rng=rng at entry=0x7fffe5f9f620 <testContext>,
bytes=bytes at entry=0x2153b70
"\216\234\r%u\"\004\371\305y\020\213#y7\024\237,\307\v9\370\356\357\225\f\227Y\374\n\205A\240;\025\002",
len=len at entry=32) at drbg.c:160
160 if (len < PRNG_SEEDLEN) {
1: len = 32
PRNG_SEEDLEN is 55 I think.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 http://www.nwra.com
More information about the Freeipa-users
mailing list