On 07/30/2015 05:28 PM, Orion Poplawski wrote:
On 07/28/2015 11:09 PM, Jan Cholasta wrote:
Dne 20.7.2015 v 19:52 Orion Poplawski napsal(a):
On 07/20/2015 12:57 AM, Jan Cholasta wrote:
Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a):
On 07/14/2015 11:53 PM, Jan Cholasta wrote:

       # ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
--dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX

Directory Manager (existing master) password:

(SEC_ERROR_LIBRARY_FAILURE) security library failure.

I was able to debug this in gdb and tracked it down to a low entropy
condition.  Details noted in https://fedorahosted.org/freeipa/ticket/5117.
Looks like prng_instantiate is being called 2-3 times and there just isn't
enough entropy:


Breakpoint 1, prng_instantiate (rng=0x7fffe5f9d3a0 <theGlobalRng>,
     bytes=bytes@entry=0x7fffffffc220 "\304(\336\350F8\375㨟\177\325\017+\302
\230\"e\215\bf\201Rw;\300\260\330\366\315\342\235\034]\374J\324&\263",
len=110) at drbg.c:160
160         if (len < PRNG_SEEDLEN) {
1: len = 110
(gdb) c
Continuing.

Breakpoint 1, prng_instantiate (rng=rng@entry=0x7fffe5f9f620 <testContext>,
     bytes=bytes@entry=0x2153b70
"\216\234\r%u\"\004\371\305y\020\213#y7\024\237,\307\v9\370\356\357\225\f\227Y\374\n\205A\240;\025\002",
len=len@entry=32) at drbg.c:160
160         if (len < PRNG_SEEDLEN) {
1: len = 32

PRNG_SEEDLEN is 55 I think.


Thank you for the thorough investigation! I saw your ticket comment and move it back to Triage s othat we can keep investigating it.

We already have some code checking available entropy and/or waits for sufficient entropy in ipa-server-install code. Maybe we will need to do something also in ipa-replica-prepare, we will see. We can continue with discussion in the ticket directly.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to