| Summary: | At times setting password fails with "Confidentiality required: Operation requires a secure connection." errro. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Gowrishankar Rajaiyan <grajaiya> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | dpal, erinn.looneytriggs, jgalipea, mkosek, nkinder, shaines, syeghiay |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.2.0-1.el6 | Doc Type: | Bug Fix |
| Doc Text: |
No documentation needed.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 13:15:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 756082 | ||
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2021 Can you please provide dirsrv logs to see what is going on? The problem is that the openldap libs on the system have the SASL maxssf property configured to 0. This makes the negotiated SSF 0. # find . | xargs grep maxssf ./* /etc/openldap/ldap.conf:sasl_secprops minssf=0,maxssf=0 We should not be setting these secprops in /etc/openldap/ldap.conf. I think we should probably set our own LDAP_OPT_X_SASL_SSF_MAX so we won't be affected by this bad configuration. Fixed upstream. master: e6cdcad8df8712a5f452a74a3f3186146ef1e04b ipa-2-2: e1b20be71d00e55cf2a3188222e6d76741602599 See the upstream trac ticket for a suggestion on testing. verified : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: bug748110: At times setting password fails with Confidentiality required: Operation requires a secure connection. errro :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Verifies https://bugzilla.redhat.com/show_bug.cgi?id=748110 :: [ PASS ] :: Backup /etc/openldap/ldap.conf :: [ PASS ] :: Running 'service httpd restart' :: [ PASS ] :: Running 'tcpdump -i lo -w /tmp/snoop &' :: [ PASS ] :: Running 'ipa user-show admin' :: [ PASS ] :: Running 'tcpdump -i lo -r /tmp/snoop -s 8192 -X > /tmp/bug748110-tcpdump.txt 2>&1' :: [ PASS ] :: File '/tmp/bug748110-tcpdump.txt' should not contain 'cn=users' :: [ PASS ] :: File '/tmp/bug748110-tcpdump.txt' should not contain 'cn=accounts' :: [ PASS ] :: Restoring /etc/openldap/ldap.conf :: [ PASS ] :: Running 'service httpd restart' :: [ LOG ] :: Duration: 6s :: [ LOG ] :: Assertions: 9 good, 0 bad :: [ PASS ] :: RESULT: bug748110: At times setting password fails with Confidentiality required: Operation requires a secure connection. errro version : ipa-server-2.2.0-7.el6.x86_64
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
No documentation needed.
*** Bug 769545 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html |
Description of problem: Version-Release number of selected component (if applicable): ipa-server-2.1.3-2.el6.x86_64 How reproducible: Not always Steps to Reproduce: 1. install ipa-server with dns 2. Used the following script to create dnsrecords, hosts, hostgroups and hbacrule #!/bin/bash for j in {1..7}; do for i in {2..253}; do ipa user-add user$j$i --first=u --last=$j$i ipa dnsrecord-add lab.eng.pnq.redhat.com host$j$i --a-rec=1.1.$j.$i ipa host-add host$j$i.lab.eng.pnq.redhat.com ipa hostgroup-add hostgrp$j$i --desc="hostgrp$j$i" ipa hostgroup-add-member hostgrp$j$i --hosts=host$j$i.lab.eng.pnq.redhat.com ipa hbacrule-add hbacrulehost$j$i ipa hbacrule-add-user hbacrulehost$j$i --users=user$j$i ipa hbacrule-add-service hbacrulehost$j$i --hbacsvcs=sshd ipa hbacrule-add-sourcehost hbacrulehost$j$i --hostgroups=hostgrp$j$i ipa hbacrule-add-host hbacrulehost$j$i --hostgroups=hostgrp$j$i done done 3. [root@bumblebee ~]# date Fri Oct 21 18:49:34 EDT 2011 [root@bumblebee ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin.PNQ.REDHAT.COM Valid starting Expires Service principal 10/21/11 18:46:16 10/22/11 18:46:14 krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM 10/21/11 18:46:28 10/22/11 18:46:14 HTTP/bumblebee.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM [root@bumblebee ~]# 4. [root@bumblebee ~]# ipa user-add shanks First name: s Last name: r ------------------- Added user "shanks" ------------------- User login: shanks First name: s Last name: r Full name: s r Display name: s r Initials: sr Home directory: /home/shanks GECOS field: s r Login shell: /bin/sh Kerberos principal: shanks.PNQ.REDHAT.COM UID: 2601283 GID: 2601283 Keytab: False Password: False [root@bumblebee ~]# 5. ipa passwd shanks New Password: Shanks1 Enter New Password again to verify: Shanks1 Actual results: ipa: ERROR: Confidentiality required: Operation requires a secure connection. Expected results: password set successfully Additional info: [root@bumblebee ~]# ipa -d passwd shanks ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' ipa: DEBUG: args=klist -V ipa: DEBUG: stdout=Kerberos 5 version 1.9 ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' ipa: INFO: trying https://bumblebee.lab.eng.pnq.redhat.com/ipa/xml ipa: DEBUG: Created connection context.xmlclient New Password: Enter New Password again to verify: ipa: DEBUG: raw: passwd(u'shanks', u'********', u'********') ipa: DEBUG: passwd(u'shanks.PNQ.REDHAT.COM', u'********', u'********') ipa: INFO: Forwarding 'passwd' to server u'https://bumblebee.lab.eng.pnq.redhat.com/ipa/xml' ipa: DEBUG: NSSConnection init bumblebee.lab.eng.pnq.redhat.com ipa: DEBUG: connect_socket_family: host=bumblebee.lab.eng.pnq.redhat.com port=443 family=PR_AF_INET ipa: DEBUG: connecting: 10.65.201.64:443 ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O=LAB.ENG.PNQ.REDHAT.COM Validity: Not Before: Thu Oct 20 14:33:01 2011 UTC Not After : Sun Oct 20 14:33:01 2013 UTC Subject: CN=bumblebee.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: c1:f4:ac:9a:15:1e:c2:c2:df:f3:07:1e:aa:c4:a1:b7: 36:91:a7:da:da:b6:15:07:3a:b1:a7:fe:ac:fb:fd:7a: 55:74:50:4c:45:66:06:6a:87:b4:aa:b4:8f:63:17:77: de:e3:43:f6:6b:24:dd:29:38:b3:17:5d:e5:2e:ae:e8: da:ae:52:6b:8c:4b:94:27:44:d3:b4:25:68:f2:a6:a9: de:35:f8:3a:b2:55:ce:0d:cb:d8:92:d4:af:ad:a4:76: a3:4c:2f:41:7c:b9:8d:f9:d3:38:12:05:38:2d:13:2e: 3f:2b:f9:bf:fd:91:c2:67:6b:76:92:1f:d5:b4:21:1f: d5:a8:bd:86:ef:eb:cd:3b:cf:07:17:fe:0c:dd:73:3f: 74:59:84:89:b2:30:89:7a:1a:34:11:b7:31:63:cf:0f: c3:e6:ae:6a:ca:9b:4c:35:28:64:a1:4c:76:60:fc:79: 99:80:64:b1:fd:55:06:99:b5:1c:6c:3c:ba:6a:bc:c1: 73:1f:81:c5:60:7a:8f:a9:b0:e7:b8:7c:fe:3c:b3:4b: 46:55:6f:73:82:85:87:0a:41:b6:59:75:50:42:ad:95: d1:3f:ca:bd:2a:54:bd:4e:e1:23:89:98:40:d2:b4:60: 99:51:71:99:ef:32:c5:b9:b9:f1:19:6c:6f:ca:d8:7b Exponent: 65537 (0x10001) Signed Extensions: (4) Name: Certificate Authority Key Identifier Critical: False Key ID: f2:43:f4:33:75:4a:6c:d2:75:b2:91:0f:70:5a:31:59: 23:09:22:96 Serial Number: None General Names: [0 total] Name: Authority Information Access Critical: False Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage Critical: False Usages: TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Fingerprint (MD5): 8d:b5:13:b8:0a:b9:c3:f9:a0:1c:b0:81:39:1f:0d:10 Fingerprint (SHA1): e8:91:1c:b6:f9:31:42:b4:08:5c:73:45:30:97:37:8d: bf:cf:b3:5a Signature: Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature Data: 65:d1:25:b6:e7:77:29:5d:2b:b5:76:b2:3f:85:18:3e: 70:5d:f3:3e:dc:57:d7:8c:ca:97:f9:43:6d:0c:c7:bf: 78:58:e6:47:9f:59:dd:45:7f:ab:c2:78:1d:42:91:a9: 85:6d:e1:08:e0:61:d6:ee:66:90:00:2c:aa:56:98:b2: c6:c9:2c:87:22:61:d5:48:df:e8:df:d8:e5:44:17:2e: 03:0f:06:64:15:fa:2c:62:20:02:bb:06:3a:f3:d4:a0: 57:70:f2:32:fa:da:a8:06:75:35:7a:74:56:e4:3b:10: 1b:93:5f:72:a3:75:2d:f9:a2:fd:8a:97:13:34:76:9b: dd:0f:81:62:db:8c:cb:ec:f2:07:90:50:3f:f1:17:cc: f5:8e:54:a3:78:31:f5:10:de:0a:0f:43:33:bd:83:a6: fd:7a:1d:9a:f9:b4:39:00:59:d1:63:83:df:83:79:c5: d4:4e:12:dc:09:d2:c6:07:cd:9c:a3:80:b0:fe:0d:37: 3f:23:ad:6c:b3:5e:b1:d2:bf:a3:83:3c:8c:d3:32:2c: 09:7b:52:26:7e:ee:31:4c:c9:f6:ac:1d:1b:40:5f:59: 0f:85:d1:30:b5:bf:4c:90:56:68:f4:ea:4f:f4:97:aa: d5:d0:67:8b:3f:69:e6:b0:58:f8:af:22:4c:2d:35:ea ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for "CN=bumblebee.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM" ipa: DEBUG: handshake complete, peer = 10.65.201.64:443 ipa: DEBUG: Caught fault 4203 from server https://bumblebee.lab.eng.pnq.redhat.com/ipa/xml: Confidentiality required: Operation requires a secure connection. ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Confidentiality required: Operation requires a secure connection.