1602425 – ipa user commands when used with '--random' or '--password' option returns 'Constraint violation: Pre-Encoded passwords are not valid' error

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1602425 - ipa user commands when used with '--random' or '--password' option returns 'Constraint violation: Pre-Encoded passwords are not valid' error

Summary: ipa user commands when used with '--random' or '--password' option returns 'C...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	mreynolds
QA Contact:	RHDS QE
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1602135 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-07-18 10:54 UTC by Nikhil Dehadrai
Modified:	2018-10-30 10:15 UTC (History)
CC List:	10 users (show)
Fixed In Version:	389-ds-base-1.3.8.4-7.el7
Doc Type:	No Doc Update
Doc Text:	undefined
Clone Of:
Environment:
Last Closed:	2018-10-30 10:14:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
ipa user Constraint Violation (59.23 KB, image/png) 2018-07-18 11:01 UTC, Nikhil Dehadrai	no flags	Details
Screenshot-user Login Failed (218.38 KB, application/x-xz) 2018-07-20 12:14 UTC, Nikhil Dehadrai	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:3127	0	None	None	None	2018-10-30 10:15:20 UTC

Description Nikhil Dehadrai 2018-07-18 10:54:13 UTC

Description of problem:
ipa user commands when used with '--random' or '--password' option returns 'Constraint violation: Pre-Encoded passwords are not valid' error

Version-Release number of selected component (if applicable):
# rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server
ipa-server-4.6.4-2.el7.x86_64
ipa-client-4.6.4-2.el7.x86_64
389-ds-base-1.3.8.4-5.el7.x86_64
pki-ca-10.5.9-1.el7.noarch
krb5-server-1.15.1-33.el7.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Setup latest version of IPA-server
2. Try to add new user to this IPA-server with '--password' option
3. Try to add new user to this IPA-server with '--random' option
4. Try to modify the password for this user
5. Try creating user from server UI

Actual results:
1. From Terminal:
----------------------
[root@auto-hv-01-guest01 ~]# tail -1 /var/log/ipaserver-install.log 
2018-07-18T09:56:37Z INFO The ipa-server-install command was successful


[root@auto-hv-01-guest01 ~]# kinit admin
Password for admin: 

[root@auto-hv-01-guest01 ~]# rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server
ipa-server-4.6.4-2.el7.x86_64
ipa-client-4.6.4-2.el7.x86_64
389-ds-base-1.3.8.4-5.el7.x86_64
pki-ca-10.5.9-1.el7.noarch
krb5-server-1.15.1-33.el7.x86_64

[root@auto-hv-01-guest01 ~]# ipa user-add --first=test1 --last=user1
User login [tuser1]: 
-------------------
Added user "tuser1"
-------------------
  User login: tuser1
  First name: test1
  Last name: user1
  Full name: test1 user1
  Display name: test1 user1
  Initials: tu
  Home directory: /home/tuser1
  GECOS: test1 user1
  Login shell: /bin/sh
  Principal name: tuser1
  Principal alias: tuser1
  Email address: tuser1
  UID: 1335400005
  GID: 1335400005
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@auto-hv-01-guest01 ~]# ipa user-add --first=test2 --last=user2 --random
User login [tuser2]: 
ipa: ERROR: Constraint violation: pre-hashed passwords are not valid

[root@auto-hv-01-guest01 ~]# ipa user-add --first=test2 --last=user2 --password
User login [tuser2]: 
Password: 
Enter Password again to verify: 
  ** Passwords do not match! **
Password: 
Enter Password again to verify: 
ipa: ERROR: Constraint violation: pre-hashed passwords are not valid

[root@auto-hv-01-guest01 ~]# ipa user-mod tuser1 --password
Password: 
Enter Password again to verify: 
ipa: ERROR: Constraint violation: Pre-Encoded passwords are not valid

2. From UI:
----------------------
Same issue is observed:

IPA Error 4203: DatabaseError
Constraint violation: pre-hashed passwords are not valid

When no password is provided, then user is created successfully

Expected results:
No error should be observed and user creation / modification using '--random' and '--password' option should be successful.

Additional info:
This issue is not observed in older version of 389-ds-base package.

[root@client ~]# rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server
ipa-server-4.6.4-2.el7.x86_64
ipa-client-4.6.4-2.el7.x86_64
389-ds-base-1.3.8.4-3.el7.x86_64
pki-ca-10.5.9-1.el7.noarch
krb5-server-1.15.1-32.el7.x86_64
[root@client ~]# ipa user-add --first=t1 --last=u1 --displayname=t1u1 --random
User login [tu1]:
----------------
Added user "tu1"
----------------
  User login: tu1
  First name: t1
  Last name: u1
  Full name: t1 u1
  Display name: t1u1
  Initials: tu
  Home directory: /home/tu1
  GECOS: t1 u1
  Login shell: /bin/sh
  Principal name: tu1
  Principal alias: tu1
  User password expiration: 20180718101708Z
  Email address: tu1
  Random password: 7Ci*pW.&!ROn[W,5^U_eIq
  UID: 615300502
  GID: 615300502
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Comment 3 Nikhil Dehadrai 2018-07-18 11:01:23 UTC

Created attachment 1459686 [details]
ipa user Constraint Violation

ipa user Constraint Violation

Comment 5 Viktor Ashirov 2018-07-18 11:25:00 UTC

This is a result of the fix for https://pagure.io/389-ds-base/issue/49789 (bz1595766).

If I change nsslapd-unhashed-pw-switch to 'on', I can add the user with --random:

[root@server freeipa-tests]# rpm -q 389-ds-base 
389-ds-base-1.3.8.4-5.el7.x86_64
[root@server freeipa-tests]# ldapsearch -LLL -D cn=directory\ manager -w Secret123 -b cn=config '(nsslapd-unhashed-pw-switch=*)' nsslapd-unhashed-pw-switch 
dn: cn=config
nsslapd-unhashed-pw-switch: on

[root@server freeipa-tests]# ipa user-add --first=test --last=user --random
User login [tuser]: 
------------------
Added user "tuser"
------------------
  User login: tuser
  First name: test
  Last name: user
  Full name: test user
  Display name: test user
  Initials: tu
  Home directory: /home/tuser
  GECOS: test user
  Login shell: /bin/sh
  Principal name: tuser
  Principal alias: tuser
  User password expiration: 20180718112255Z
  Email address: tuser
  Random password: 1Vb|b&|*W9eRoZc?;W(CmF
  UID: 1821600006
  GID: 1821600006
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Changing component to ipa, since this should be done on IPA side.

Comment 6 Viktor Ashirov 2018-07-18 11:27:56 UTC

FreeIPA upstream ticket: https://pagure.io/freeipa/issue/4812

Comment 7 Rob Crittenden 2018-07-18 12:16:07 UTC

There is a comment in that ticket that when winsync is being used then this value needs to be set to OFF on ALL masters. Is this true?

Comment 8 Viktor Ashirov 2018-07-18 12:35:07 UTC

If I'm reading it correctly, it should be ON on all masters when winsync is used, not OFF.

Comment 9 Rob Crittenden 2018-07-18 12:48:17 UTC

Sorry yes, I had that value reversed. I just wanted to confirm that it must be set this way on ALL masters.

Comment 10 Viktor Ashirov 2018-07-18 13:10:37 UTC

I believe so, because if the password is hashed by DS on at least one master and then synced to AD, it won't work, since AD uses different hash function. If plain text passwords are retained in the DS changelog, then they can be synced to AD and hashed on AD side.

Also there is an RFE for IPA to use 'nolog' by default and 'on' in topologies with winsync: https://bugzilla.redhat.com/show_bug.cgi?id=1591895

Comment 15 Nikhil Dehadrai 2018-07-19 13:19:07 UTC

1. Suspecting that this bug also affects KRA installation in ipa-server based on errors observed in pki-tomcat/debug logs "netscape.ldap.LDAPException: error result (19); pre-hashed passwords are not valid"

2. The KRA installation also fails when used with ipa-server installation process.


[root@vm-idm-015 kra]# rpm -q ipa-server
ipa-server-4.6.4-2.el7.x86_64
389-ds-base-1.3.8.4-5.el7.x86_64
pki-base-10.5.9-1.el7.noarch
pki-ca-10.5.9-1.el7.noarch
pki-base-java-10.5.9-1.el7.noarch
krb5-pkinit-1.15.1-33.el7.x86_64
pki-tools-10.5.9-1.el7.x86_64
pki-server-10.5.9-1.el7.noarch
pki-kra-10.5.9-1.el7.noarch


[root@vm-idm-015 ~]# ipa-kra-install 
Directory Manager password: 

Starting new HTTPS connection (1): vm-idm-015.testrelm.test

===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes
  [1/10]: configuring KRA instance
Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmpR6zZGN' returned non-zero exit status 1
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: KRA configuration failed.

Your system may be partly configured.
If you run into issues, you may have to re-install IPA on this server.

KRA configuration failed.
The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information



ipaserver-kra-install.log:
---------------------------
Installing KRA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg.

Installation failed:
com.netscape.certsrv.base.PKIException: LDAP error (19): error result

Please check the KRA logs in /var/log/pki/pki-tomcat/kra.

2018-07-19T13:09:03Z DEBUG stderr=
2018-07-19T13:09:03Z CRITICAL Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmpR6zZGN' returned non-zero exit status 1
2018-07-19T13:09:03Z CRITICAL See the installation logs and the following files/directories for more information:
2018-07-19T13:09:03Z CRITICAL   /var/log/pki/pki-tomcat
2018-07-19T13:09:03Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 520, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 510, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/krainstance.py", line 300, in __spawn_instance
    tmp_agent_pwd)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 166, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 406, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: KRA configuration failed.

2018-07-19T13:09:03Z DEBUG   [error] RuntimeError: KRA configuration failed.
2018-07-19T13:09:03Z ERROR
Your system may be partly configured.
If you run into issues, you may have to re-install IPA on this server.

2018-07-19T13:09:03Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 174, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py", line 225, in run
    kra.install(api, config, self.options, custodia=custodia)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/kra.py", line 120, in install
    promote=promote)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/krainstance.py", line 141, in configure_instance
    self.start_creation(runtime=120)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 520, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 510, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/krainstance.py", line 300, in __spawn_instance
    tmp_agent_pwd)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 166, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 406, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)

2018-07-19T13:09:03Z DEBUG The ipa-kra-install command failed, exception: RuntimeError: KRA configuration failed.
2018-07-19T13:09:03Z ERROR KRA configuration failed.


pki-tomcat/debug log:
---------------------------

[19/Jul/2018:18:39:03][http-bio-8443-exec-3]: getConn: mNumConns now 2
netscape.ldap.LDAPException: error result (19); pre-hashed passwords are not valid

        at netscape.ldap.LDAPConnection.checkMsg(Unknown Source)
        at netscape.ldap.LDAPConnection.add(Unknown Source)
        at netscape.ldap.LDAPConnection.add(Unknown Source)
        at netscape.ldap.LDAPConnection.add(Unknown Source)
        at com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:771)
        at com.netscape.cms.servlet.csadmin.ConfigurationUtils.createAdmin(ConfigurationUtils.java:3421)
        at org.dogtagpki.server.rest.SystemConfigService.configureAdministrator(SystemConfigService.java:584)
        at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:179)
        at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:101)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
[19/Jul/2018:18:39:03][http-bio-8443-exec-3]: returnConn: mNumConns now 3
[19/Jul/2018:18:39:03][http-bio-8443-exec-3]: LDAP error (19): error result
[19/Jul/2018:18:39:03][http-bio-8443-exec-3]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED

Comment 18 Scott Poore 2018-07-19 22:14:02 UTC

*** Bug 1602135 has been marked as a duplicate of this bug. ***

Comment 19 Nikhil Dehadrai 2018-07-20 08:32:07 UTC

VERSION:
[root@vm-idm-022 ~]# rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server
ipa-server-4.6.4-2.el7.x86_64
ipa-client-4.6.4-2.el7.x86_64
389-ds-base-1.3.8.4-6.el7.x86_64
pki-ca-10.5.9-1.el7.noarch
krb5-server-1.15.1-33.el7.x86_64


Tested with new 389-ds-base package, The issue mentioned in bug and Comment#15 are not observed:

[root@vm-idm-022 ~]# ipa-kra-install 
Directory Manager password: 

Starting new HTTPS connection (1): vm-idm-022.testrelm.test

===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes
  [1/10]: configuring KRA instance
  [2/10]: create KRA agent
  [3/10]: enabling ephemeral requests
  [4/10]: restarting KRA
  [5/10]: configure certmonger for renewals
  [6/10]: configure certificate renewals
  [7/10]: configure HTTP to proxy connections
  [8/10]: add vault container
  [9/10]: apply LDAP updates
  [10/10]: enabling KRA instance
Done configuring KRA server (pki-tomcatd).
Restarting the directory server
The ipa-kra-install command was successful


[root@vm-idm-022 ~]# ipa user-add --first=test1 --last=user1
User login [tuser1]: 
-------------------
Added user "tuser1"
-------------------
  User login: tuser1
  First name: test1
  Last name: user1
  Full name: test1 user1
  Display name: test1 user1
  Initials: tu
  Home directory: /home/tuser1
  GECOS: test1 user1
  Login shell: /bin/sh
  Principal name: tuser1
  Principal alias: tuser1
  Email address: tuser1
  UID: 1667000004
  GID: 1667000004
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@vm-idm-022 ~]# ipa user-add --first=test2 --last=user2 --random
User login [tuser2]: 
-------------------
Added user "tuser2"
-------------------
  User login: tuser2
  First name: test2
  Last name: user2
  Full name: test2 user2
  Display name: test2 user2
  Initials: tu
  Home directory: /home/tuser2
  GECOS: test2 user2
  Login shell: /bin/sh
  Principal name: tuser2
  Principal alias: tuser2
  User password expiration: 20180720082743Z
  Email address: tuser2
  Random password: 1Jt^QR5h;bz$Sg&dJ[9Gba
  UID: 1667000005
  GID: 1667000005
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@vm-idm-022 ~]# ipa user-add --first=test2 --last=user2 --password
User login [tuser2]:  
Password: 
Enter Password again to verify: 
ipa: ERROR: user with name "tuser2" already exists

[root@vm-idm-022 ~]# ipa user-mod --first=test2 --last=user2 --password
User login [tuser2]: 
Password: 
Enter Password again to verify: 
----------------------
Modified user "tuser2"
----------------------
  User login: tuser2
  First name: test2
  Last name: user2
  Home directory: /home/tuser2
  Login shell: /bin/sh
  Principal name: tuser2
  Principal alias: tuser2
  Email address: tuser2
  UID: 1667000005
  GID: 1667000005
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@vm-idm-022 ~]# kinit tuser2
Password for tuser2: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@vm-idm-022 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_1uzgMd2
Default principal: tuser2

Valid starting       Expires              Service principal
07/20/2018 13:58:38  07/21/2018 13:58:37  krbtgt/TESTRELM.TEST
[root@vm-idm-022 ~]# kinit admin
Password for admin: 
[root@vm-idm-022 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin

Valid starting       Expires              Service principal
07/20/2018 13:58:46  07/21/2018 13:58:44  krbtgt/TESTRELM.TEST
[root@vm-idm-022 ~]# ipa user-add --first=test3 --last=user3 --password
User login [tuser3]: 
Password: 
Enter Password again to verify: 
  ** Passwords do not match! **
Password: 
Enter Password again to verify: 
-------------------
Added user "tuser3"
-------------------
  User login: tuser3
  First name: test3
  Last name: user3
  Full name: test3 user3
  Display name: test3 user3
  Initials: tu
  Home directory: /home/tuser3
  GECOS: test3 user3
  Login shell: /bin/sh
  Principal name: tuser3
  Principal alias: tuser3
  User password expiration: 20180720082913Z
  Email address: tuser3
  UID: 1667000006
  GID: 1667000006
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Comment 20 Nikhil Dehadrai 2018-07-20 12:05:32 UTC

Tested the bug for following scenario:

1. Create user in ipa and try logging using this user to IPA server UI.
#The user login fails. (See attachment)

# /var/log/httpd/error_log

[Fri Jul 20 17:27:49.980064 2018] [:error] [pid 32220] ipa: INFO: Starting new HTTP connection (1): vm-idm-022.testrelm.test
[Fri Jul 20 17:27:49.983463 2018] [:error] [pid 32220] ipa: INFO: Starting new HTTPS connection (1): vm-idm-022.testrelm.test
[Fri Jul 20 17:27:50.063126 2018] [:error] [pid 32218] ipa: INFO: tuser1: batch: i18n_messages(): SUCCESS
[Fri Jul 20 17:27:50.072164 2018] [:error] [pid 32218] ipa: INFO: tuser1: batch: config_show(): EmptyResult
[Fri Jul 20 17:27:50.077996 2018] [:error] [pid 32218] ipa: INFO: tuser1: batch: whoami(): SUCCESS
[Fri Jul 20 17:27:50.078669 2018] [:error] [pid 32218] ipa: INFO: tuser1: batch: env(None): SUCCESS
[Fri Jul 20 17:27:50.080664 2018] [:error] [pid 32218] ipa: INFO: tuser1: batch: dns_is_enabled(): SUCCESS
[Fri Jul 20 17:27:50.082208 2018] [:error] [pid 32218] ipa: INFO: tuser1: batch: trustconfig_show(): NotFound
[Fri Jul 20 17:27:50.083817 2018] [:error] [pid 32218] ipa: INFO: tuser1: batch: domainlevel_get(): SUCCESS
[Fri Jul 20 17:27:50.086117 2018] [:error] [pid 32218] ipa: INFO: tuser1: batch: ca_is_enabled(): SUCCESS
[Fri Jul 20 17:27:50.143084 2018] [:error] [pid 32218] ipa: INFO: Starting new HTTPS connection (1): vm-idm-022.testrelm.test
[Fri Jul 20 17:27:50.218757 2018] [:error] [pid 32218] ipa: INFO: tuser1: batch: vaultconfig_show(): EmptyResult
[Fri Jul 20 17:27:50.219216 2018] [:error] [pid 32218] ipa: INFO: [jsonserver_session] tuser1: batch(({u'params': ([], {}), u'method': u'i18n_messages'}, {u'params': ([], {}), u'method': u'config_show'}, {u'params': ([], {}), u'method': u'whoami'}, {u'params': ([], {}), u'method': u'env'}, {u'params': ([], {}), u'method': u'dns_is_enabled'}, {u'params': ([], {}), u'method': u'trustconfig_show'}, {u'params': ([], {}), u'method': u'domainlevel_get'}, {u'params': ([], {}), u'method': u'ca_is_enabled'}, {u'params': ([], {}), u'method': u'vaultconfig_show'}), version=u'2.229'): SUCCESS
[Fri Jul 20 17:27:50.246943 2018] [:warn] [pid 22043] [client 10.65.223.47:47012] failed to set perms (3140) on file (/var/run/ipa/ccaches/tuser1)!, referer: https://vm-idm-022.testrelm.test/ipa/ui/
[Fri Jul 20 17:27:50.278695 2018] [:error] [pid 32219] ipa: INFO: [jsonserver_session] tuser1: user_show/1(u'tuser1', all=True, version=u'2.229'): SUCCESS

2. Try logging using Admin user to IPA server UI.
# The login is successful

3. Try running command 'ipa user-find' / 'ipa host-find'
# no details are returned

[root@vm-idm-022 ~]# ipa user-find
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
[root@vm-idm-022 ~]# ipa user-find --all
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------


Thus on the basis of above observations, marking the status of bug to 'ASSIGNED'.

Comment 21 Nikhil Dehadrai 2018-07-20 12:14:49 UTC

Created attachment 1464930 [details]
Screenshot-user Login Failed

Screenshot-user Login Failed

Comment 24 Viktor Ashirov 2018-07-20 14:04:44 UTC

Nikhil,

I can't reproduce this issue, could you please provide access logs from DS after you try to login?

Thanks!

Comment 25 Nikhil Dehadrai 2018-07-23 10:18:29 UTC

Version:
ipa-server-4.6.4-3.el7.x86_64
389-ds-base-1.3.8.4-7.el7.x86_64


Verified the bug on the basis of below observations:
1. Verified that with latest build the issue mentioned in bug and comment#20 is not observed.
2. It is possible to modify password for user.
3. it is possible to set random password for user.
4. It is possible to install KRA on IPA-Master.
5. IPA-User and admin user can login to servr UI. 
6. Verified that Sanity test for user-cli is successful and no regression error is observed.

Thus on the basis of above observations, marking status of bug to 'VERIFIED'.

Comment 27 errata-xmlrpc 2018-10-30 10:14:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3127

Note You need to log in before you can comment on or make changes to this bug.