tatiana philippova wrote:
Hi Rob,
many thanks for reply, here is information requested
On Fri, Jan 8, 2010 at 4:10 AM, Rob Crittenden rcrit...@redhat.com wrote:
tatiana philippova wrote:
Hi , I have an issue with freeipa v 1.9.0.pre1 on Fedora12 (virtual)
..actually - not just one issue, a couple of them.
freeipa rpms were built from tarball (downloaded from official site)
ipa-server-1.9.0.pre1-0.fc12.x86_64
ipa-client-1.9.0.pre1-0.fc12.x86_64
ipa-server-selinux-1.9.0.pre1-0.fc12.x86_64
ipa-python-1.9.0.pre1-0.fc12.x86_64
ipa-admintools-1.9.0.pre1-0.fc12.x86_64
the first issue appears during server setup:
#ipa-server-install -N
..
Applying LDAP updates
restarting the directory server
restarting the KDC
Sample zone file for bind has been created in /tmp/sample.zone.xe_hlt.db
Unable to set admin password Command '/usr/lib64/mozldap/ldappasswd -D
cn=Directory Manager -w pass1 -P
/etc/dirsrv/slapd-INTERNAL-MYNET-COM//cert8.db -ZZZ -s pass2
uid=admin,cn=users,cn=accounts,dc=internal,dc=mynet,dc=com' returned
non-zero exit status 1
also noticed next in /var/log/dirsrv/slapd-INTERNAL-BULLETIN-NET/errors :
[08/Jan/2010:10:02:38 +1300] ipa_pwd_extop - krb5_c_string_to_key
failed [Bad encryption type]
[08/Jan/2010:10:02:38 +1300] ipa_pwd_extop - key encryption/encoding failed
Well, that explains why the admin password wasn't set. Simo, any thoughts?
ipa_pwd_extop is the 389-ds plugin we use to keep the LDAP password and
the kerberos principal key in sync.
What version of krb5-server do you have installed? rpm -q krb5-server
..
when I start ldappasswd manually with the same parametres -
ldap_simple_bind: No such object
Can you provide a log snippet from the 389ds access log
(/var/log/slapd-INTERNAL-MYNET-COM/access) showing these?
when command manually started:
/usr/lib64/mozldap/ldappasswd -D cn=Directory Manager -w pass1 -P
/etc/dirsrv/slapd-INTERNAL-MYNET-COM//cert8.db -ZZZ -s pass2
uid=admin,cn=users,cn=accounts,dc=internal,dc=mynet,dc=com
ldap_simple_bind: No such object
/var/log/dirsrv/slapd-INTERNAL-MYNET-COM/access:
[08/Jan/2010:10:24:50 +1300] conn=13 fd=69 slot=69 connection from ::1 to ::1
[08/Jan/2010:10:24:50 +1300] conn=13 op=0 EXT
oid=1.3.6.1.4.1.1466.20037 name=startTLS
[08/Jan/2010:10:24:50 +1300] conn=13 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[08/Jan/2010:10:24:50 +1300] conn=13 SSL 128-bit RC4
[08/Jan/2010:10:24:50 +1300] conn=13 op=1 BIND dn=cn=Directory
method=128 version=3
[08/Jan/2010:10:24:50 +1300] conn=13 op=2 UNBIND
[08/Jan/2010:10:24:50 +1300] conn=13 op=2 fd=69 closed - U1
[08/Jan/2010:10:24:51 +1300] conn=13 op=1 RESULT err=32 tag=97
nentries=0 etime=1
You need to put quotes around cn=Directory Manager.
output from ldapsearch:
ldapsearch -x -D cn=Directory Manager -w pass1 -b
cn=users,cn=accounts,dc=internal,dc=mynet,dc=com
krbprincipalname=admin krbPrincipalKey
# extended LDIF
#
# LDAPv3
# base cn=users,cn=accounts,dc=internal,dc=mynet,dc=com with scope
subtree
# filter: krbprincipalname=admin
# requesting: krbPrincipalKey
#
# search result
search: 2
result: 0 Success
# numResponses: 1
The krbprinicpalname would be ad...@internal.mynet.com
ops, sorry. here is correct output:
[r...@freeipa log]# ldapsearch -x -D cn=Directory Manager -w pass1
-b cn=users,cn=accounts,dc=internal,dc=mynet,dc=com
krbprincipalname=ad...@internal.mynet.com krbPrincipalKey
# extended LDIF
#
# LDAPv3
# base cn=users,cn=accounts,dc=internal,dc=mynet,dc=com with scope subtree
# filter: krbprincipalname=ad...@internal.mynet.com
# requesting: krbPrincipalKey.
#
# admin, users, accounts, internal.MYNET.COM
dn: uid=admin,cn=users,cn=accounts,dc=internal,dc=mynet,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Ok, that is about what I would expect since the password setting failed.
and in /var/log/dirsrv/slapd-INTERNAL-MYNET-COM/access:
[08/Jan/2010:10:27:14 +1300] conn=15 fd=69 slot=69 connection from
127.0.0.1 to 127.0.0.1
[08/Jan/2010:10:27:14 +1300] conn=15 op=0 BIND dn=cn=Directory
Manager method=128 version=3
[08/Jan/2010:10:27:14 +1300] conn=15 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn=cn=directory manager
[08/Jan/2010:10:27:14 +1300] conn=15 op=1 SRCH
base=cn=users,cn=accounts,dc=internal,dc=mynet,dc=com scope=2
filter=(krbprincipalname=ad...@internal.mynet.com)
attrs=krbPrincipalKey
[08/Jan/2010:10:27:14 +1300] conn=15 op=1 RESULT err=0 tag=101
nentries=1 etime=0
[08/Jan/2010:10:27:14 +1300] conn=15 op=2 UNBIND
[08/Jan/2010:10:27:14 +1300] conn=15 op=2 fd=69 closed - U1
the second issue:
The password for this file is in
/etc/dirsrv/slapd-INTERNAL-MYNET-COM/pwdfile.txt
but in log file
2010-01-07 21:36:44,054 INFO pk12util: PKCS12 EXPORT SUCCESSFUL
2010-01-07 21:36:44,103 INFO certutil: Could not find: CA certificate
: security library: bad database.
Can you see what certificates exist in the database?
certutil -L -d /etc/dirsrv/slapd-INTERNAL-MYNET-COM/
[r...@freeipa log]# certutil -L -d