Re: [Freeipa-devel] ipa-server-install Unable to set admin password

[Rob Crittenden]

tatiana philippova wrote:

Hi Rob,
many thanks for reply, here is information requested

On Fri, Jan 8, 2010 at 4:10 AM, Rob Crittenden rcrit...@redhat.com wrote:

tatiana philippova wrote:

Hi , I have an issue with freeipa v 1.9.0.pre1 on Fedora12 (virtual)
..actually - not just one issue, a couple of them.

freeipa rpms were built from tarball (downloaded from official site)
ipa-server-1.9.0.pre1-0.fc12.x86_64
ipa-client-1.9.0.pre1-0.fc12.x86_64
ipa-server-selinux-1.9.0.pre1-0.fc12.x86_64
ipa-python-1.9.0.pre1-0.fc12.x86_64
ipa-admintools-1.9.0.pre1-0.fc12.x86_64


the first issue appears during server setup:
#ipa-server-install -N
..
Applying LDAP updates
restarting the directory server
restarting the KDC
Sample zone file for bind has been created in /tmp/sample.zone.xe_hlt.db
Unable to set admin password Command '/usr/lib64/mozldap/ldappasswd -D
cn=Directory Manager -w pass1 -P
/etc/dirsrv/slapd-INTERNAL-MYNET-COM//cert8.db -ZZZ -s pass2
uid=admin,cn=users,cn=accounts,dc=internal,dc=mynet,dc=com' returned
non-zero exit status 1

also  noticed next in /var/log/dirsrv/slapd-INTERNAL-BULLETIN-NET/errors :
[08/Jan/2010:10:02:38 +1300] ipa_pwd_extop - krb5_c_string_to_key
failed [Bad encryption type]
[08/Jan/2010:10:02:38 +1300] ipa_pwd_extop - key encryption/encoding failed


Well, that explains why the admin password wasn't set. Simo, any thoughts?

ipa_pwd_extop is the 389-ds plugin we use to keep the LDAP password and 
the kerberos principal key in sync.


What version of krb5-server do you have installed? rpm -q krb5-server


..

when I start ldappasswd manually with the same parametres  -
ldap_simple_bind: No such object

Can you provide a log snippet from the 389ds access log
(/var/log/slapd-INTERNAL-MYNET-COM/access) showing these?


when command manually started:
/usr/lib64/mozldap/ldappasswd -D cn=Directory Manager -w pass1 -P
/etc/dirsrv/slapd-INTERNAL-MYNET-COM//cert8.db -ZZZ -s pass2
uid=admin,cn=users,cn=accounts,dc=internal,dc=mynet,dc=com
ldap_simple_bind: No such object

/var/log/dirsrv/slapd-INTERNAL-MYNET-COM/access:

[08/Jan/2010:10:24:50 +1300] conn=13 fd=69 slot=69 connection from ::1 to ::1
[08/Jan/2010:10:24:50 +1300] conn=13 op=0 EXT
oid=1.3.6.1.4.1.1466.20037 name=startTLS
[08/Jan/2010:10:24:50 +1300] conn=13 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[08/Jan/2010:10:24:50 +1300] conn=13 SSL 128-bit RC4
[08/Jan/2010:10:24:50 +1300] conn=13 op=1 BIND dn=cn=Directory
method=128 version=3
[08/Jan/2010:10:24:50 +1300] conn=13 op=2 UNBIND
[08/Jan/2010:10:24:50 +1300] conn=13 op=2 fd=69 closed - U1
[08/Jan/2010:10:24:51 +1300] conn=13 op=1 RESULT err=32 tag=97
nentries=0 etime=1


You need to put quotes around cn=Directory Manager.




output from ldapsearch:

ldapsearch -x -D cn=Directory Manager -w pass1 -b
cn=users,cn=accounts,dc=internal,dc=mynet,dc=com
krbprincipalname=admin krbPrincipalKey
# extended LDIF
#
# LDAPv3
# base cn=users,cn=accounts,dc=internal,dc=mynet,dc=com with scope
subtree
# filter: krbprincipalname=admin
# requesting: krbPrincipalKey
#

# search result
search: 2
result: 0 Success

# numResponses: 1

The krbprinicpalname would be ad...@internal.mynet.com

ops, sorry. here is correct output:

[r...@freeipa log]# ldapsearch -x -D cn=Directory Manager -w pass1
-b cn=users,cn=accounts,dc=internal,dc=mynet,dc=com
krbprincipalname=ad...@internal.mynet.com krbPrincipalKey
# extended LDIF
#
# LDAPv3
# base cn=users,cn=accounts,dc=internal,dc=mynet,dc=com with scope subtree
# filter: krbprincipalname=ad...@internal.mynet.com
# requesting: krbPrincipalKey.
#
# admin, users, accounts, internal.MYNET.COM
dn: uid=admin,cn=users,cn=accounts,dc=internal,dc=mynet,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Ok, that is about what I would expect since the password setting failed.




and in /var/log/dirsrv/slapd-INTERNAL-MYNET-COM/access:

[08/Jan/2010:10:27:14 +1300] conn=15 fd=69 slot=69 connection from
127.0.0.1 to 127.0.0.1
[08/Jan/2010:10:27:14 +1300] conn=15 op=0 BIND dn=cn=Directory
Manager method=128 version=3
[08/Jan/2010:10:27:14 +1300] conn=15 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn=cn=directory manager
[08/Jan/2010:10:27:14 +1300] conn=15 op=1 SRCH
base=cn=users,cn=accounts,dc=internal,dc=mynet,dc=com scope=2
filter=(krbprincipalname=ad...@internal.mynet.com)
attrs=krbPrincipalKey
[08/Jan/2010:10:27:14 +1300] conn=15 op=1 RESULT err=0 tag=101
nentries=1 etime=0
[08/Jan/2010:10:27:14 +1300] conn=15 op=2 UNBIND
[08/Jan/2010:10:27:14 +1300] conn=15 op=2 fd=69 closed - U1


the second issue:
The password for this file is in
/etc/dirsrv/slapd-INTERNAL-MYNET-COM/pwdfile.txt

but in log file
2010-01-07 21:36:44,054 INFO pk12util: PKCS12 EXPORT SUCCESSFUL
2010-01-07 21:36:44,103 INFO certutil: Could not find: CA certificate
: security library: bad database.

Can you see what certificates exist in the database?

certutil -L -d /etc/dirsrv/slapd-INTERNAL-MYNET-COM/


[r...@freeipa log]# certutil -L -d 

Re: [Freeipa-devel] ipa-server-install Unable to set admin password

[Dmitri Pal]

Rob Crittenden wrote:
 tatiana philippova wrote:
 also  noticed next in
 /var/log/dirsrv/slapd-INTERNAL-BULLETIN-NET/errors :
 [08/Jan/2010:10:02:38 +1300] ipa_pwd_extop - krb5_c_string_to_key
 failed [Bad encryption type]
 [08/Jan/2010:10:02:38 +1300] ipa_pwd_extop - key encryption/encoding
 failed

 Well, that explains why the admin password wasn't set. Simo, any
 thoughts?

 ipa_pwd_extop is the 389-ds plugin we use to keep the LDAP password
 and the kerberos principal key in sync.

 What version of krb5-server do you have installed? rpm -q krb5-server

If it is F12 the Kerberos version should be 1.7.
Can it be that we have an incompatibility with 1.7 in our plugin?

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel