Bug 1602425
| Summary: | ipa user commands when used with '--random' or '--password' option returns 'Constraint violation: Pre-Encoded passwords are not valid' error | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Nikhil Dehadrai <ndehadra> | ||||||
| Component: | 389-ds-base | Assignee: | mreynolds | ||||||
| Status: | CLOSED ERRATA | QA Contact: | RHDS QE <ds-qe-bugs> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 7.6 | CC: | abokovoy, ksiddiqu, ndehadra, nkinder, pvoborni, rcritten, rmeggins, spoore, tscherf, vashirov | ||||||
| Target Milestone: | rc | Keywords: | Regression, TestBlocker | ||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | 389-ds-base-1.3.8.4-7.el7 | Doc Type: | No Doc Update | ||||||
| Doc Text: |
undefined
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2018-10-30 10:14:34 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Nikhil Dehadrai
2018-07-18 10:54:13 UTC
Created attachment 1459686 [details]
ipa user Constraint Violation
ipa user Constraint Violation
This is a result of the fix for https://pagure.io/389-ds-base/issue/49789 (bz1595766). If I change nsslapd-unhashed-pw-switch to 'on', I can add the user with --random: [root@server freeipa-tests]# rpm -q 389-ds-base 389-ds-base-1.3.8.4-5.el7.x86_64 [root@server freeipa-tests]# ldapsearch -LLL -D cn=directory\ manager -w Secret123 -b cn=config '(nsslapd-unhashed-pw-switch=*)' nsslapd-unhashed-pw-switch dn: cn=config nsslapd-unhashed-pw-switch: on [root@server freeipa-tests]# ipa user-add --first=test --last=user --random User login [tuser]: ------------------ Added user "tuser" ------------------ User login: tuser First name: test Last name: user Full name: test user Display name: test user Initials: tu Home directory: /home/tuser GECOS: test user Login shell: /bin/sh Principal name: tuser Principal alias: tuser User password expiration: 20180718112255Z Email address: tuser Random password: 1Vb|b&|*W9eRoZc?;W(CmF UID: 1821600006 GID: 1821600006 Password: True Member of groups: ipausers Kerberos keys available: True Changing component to ipa, since this should be done on IPA side. FreeIPA upstream ticket: https://pagure.io/freeipa/issue/4812 There is a comment in that ticket that when winsync is being used then this value needs to be set to OFF on ALL masters. Is this true? If I'm reading it correctly, it should be ON on all masters when winsync is used, not OFF. Sorry yes, I had that value reversed. I just wanted to confirm that it must be set this way on ALL masters. I believe so, because if the password is hashed by DS on at least one master and then synced to AD, it won't work, since AD uses different hash function. If plain text passwords are retained in the DS changelog, then they can be synced to AD and hashed on AD side. Also there is an RFE for IPA to use 'nolog' by default and 'on' in topologies with winsync: https://bugzilla.redhat.com/show_bug.cgi?id=1591895 1. Suspecting that this bug also affects KRA installation in ipa-server based on errors observed in pki-tomcat/debug logs "netscape.ldap.LDAPException: error result (19); pre-hashed passwords are not valid"
2. The KRA installation also fails when used with ipa-server installation process.
[root@vm-idm-015 kra]# rpm -q ipa-server
ipa-server-4.6.4-2.el7.x86_64
389-ds-base-1.3.8.4-5.el7.x86_64
pki-base-10.5.9-1.el7.noarch
pki-ca-10.5.9-1.el7.noarch
pki-base-java-10.5.9-1.el7.noarch
krb5-pkinit-1.15.1-33.el7.x86_64
pki-tools-10.5.9-1.el7.x86_64
pki-server-10.5.9-1.el7.noarch
pki-kra-10.5.9-1.el7.noarch
[root@vm-idm-015 ~]# ipa-kra-install
Directory Manager password:
Starting new HTTPS connection (1): vm-idm-015.testrelm.test
===================================================================
This program will setup Dogtag KRA for the IPA Server.
Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes
[1/10]: configuring KRA instance
Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmpR6zZGN' returned non-zero exit status 1
See the installation logs and the following files/directories for more information:
/var/log/pki/pki-tomcat
[error] RuntimeError: KRA configuration failed.
Your system may be partly configured.
If you run into issues, you may have to re-install IPA on this server.
KRA configuration failed.
The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information
ipaserver-kra-install.log:
---------------------------
Installing KRA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg.
Installation failed:
com.netscape.certsrv.base.PKIException: LDAP error (19): error result
Please check the KRA logs in /var/log/pki/pki-tomcat/kra.
2018-07-19T13:09:03Z DEBUG stderr=
2018-07-19T13:09:03Z CRITICAL Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmpR6zZGN' returned non-zero exit status 1
2018-07-19T13:09:03Z CRITICAL See the installation logs and the following files/directories for more information:
2018-07-19T13:09:03Z CRITICAL /var/log/pki/pki-tomcat
2018-07-19T13:09:03Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 520, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 510, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/krainstance.py", line 300, in __spawn_instance
tmp_agent_pwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 166, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 406, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: KRA configuration failed.
2018-07-19T13:09:03Z DEBUG [error] RuntimeError: KRA configuration failed.
2018-07-19T13:09:03Z ERROR
Your system may be partly configured.
If you run into issues, you may have to re-install IPA on this server.
2018-07-19T13:09:03Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 174, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py", line 225, in run
kra.install(api, config, self.options, custodia=custodia)
File "/usr/lib/python2.7/site-packages/ipaserver/install/kra.py", line 120, in install
promote=promote)
File "/usr/lib/python2.7/site-packages/ipaserver/install/krainstance.py", line 141, in configure_instance
self.start_creation(runtime=120)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 520, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 510, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/krainstance.py", line 300, in __spawn_instance
tmp_agent_pwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 166, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 406, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2018-07-19T13:09:03Z DEBUG The ipa-kra-install command failed, exception: RuntimeError: KRA configuration failed.
2018-07-19T13:09:03Z ERROR KRA configuration failed.
pki-tomcat/debug log:
---------------------------
[19/Jul/2018:18:39:03][http-bio-8443-exec-3]: getConn: mNumConns now 2
netscape.ldap.LDAPException: error result (19); pre-hashed passwords are not valid
at netscape.ldap.LDAPConnection.checkMsg(Unknown Source)
at netscape.ldap.LDAPConnection.add(Unknown Source)
at netscape.ldap.LDAPConnection.add(Unknown Source)
at netscape.ldap.LDAPConnection.add(Unknown Source)
at com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:771)
at com.netscape.cms.servlet.csadmin.ConfigurationUtils.createAdmin(ConfigurationUtils.java:3421)
at org.dogtagpki.server.rest.SystemConfigService.configureAdministrator(SystemConfigService.java:584)
at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:179)
at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:101)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
[19/Jul/2018:18:39:03][http-bio-8443-exec-3]: returnConn: mNumConns now 3
[19/Jul/2018:18:39:03][http-bio-8443-exec-3]: LDAP error (19): error result
[19/Jul/2018:18:39:03][http-bio-8443-exec-3]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED
*** Bug 1602135 has been marked as a duplicate of this bug. *** VERSION: [root@vm-idm-022 ~]# rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server ipa-server-4.6.4-2.el7.x86_64 ipa-client-4.6.4-2.el7.x86_64 389-ds-base-1.3.8.4-6.el7.x86_64 pki-ca-10.5.9-1.el7.noarch krb5-server-1.15.1-33.el7.x86_64 Tested with new 389-ds-base package, The issue mentioned in bug and Comment#15 are not observed: [root@vm-idm-022 ~]# ipa-kra-install Directory Manager password: Starting new HTTPS connection (1): vm-idm-022.testrelm.test =================================================================== This program will setup Dogtag KRA for the IPA Server. Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes [1/10]: configuring KRA instance [2/10]: create KRA agent [3/10]: enabling ephemeral requests [4/10]: restarting KRA [5/10]: configure certmonger for renewals [6/10]: configure certificate renewals [7/10]: configure HTTP to proxy connections [8/10]: add vault container [9/10]: apply LDAP updates [10/10]: enabling KRA instance Done configuring KRA server (pki-tomcatd). Restarting the directory server The ipa-kra-install command was successful [root@vm-idm-022 ~]# ipa user-add --first=test1 --last=user1 User login [tuser1]: ------------------- Added user "tuser1" ------------------- User login: tuser1 First name: test1 Last name: user1 Full name: test1 user1 Display name: test1 user1 Initials: tu Home directory: /home/tuser1 GECOS: test1 user1 Login shell: /bin/sh Principal name: tuser1 Principal alias: tuser1 Email address: tuser1 UID: 1667000004 GID: 1667000004 Password: False Member of groups: ipausers Kerberos keys available: False [root@vm-idm-022 ~]# ipa user-add --first=test2 --last=user2 --random User login [tuser2]: ------------------- Added user "tuser2" ------------------- User login: tuser2 First name: test2 Last name: user2 Full name: test2 user2 Display name: test2 user2 Initials: tu Home directory: /home/tuser2 GECOS: test2 user2 Login shell: /bin/sh Principal name: tuser2 Principal alias: tuser2 User password expiration: 20180720082743Z Email address: tuser2 Random password: 1Jt^QR5h;bz$Sg&dJ[9Gba UID: 1667000005 GID: 1667000005 Password: True Member of groups: ipausers Kerberos keys available: True [root@vm-idm-022 ~]# ipa user-add --first=test2 --last=user2 --password User login [tuser2]: Password: Enter Password again to verify: ipa: ERROR: user with name "tuser2" already exists [root@vm-idm-022 ~]# ipa user-mod --first=test2 --last=user2 --password User login [tuser2]: Password: Enter Password again to verify: ---------------------- Modified user "tuser2" ---------------------- User login: tuser2 First name: test2 Last name: user2 Home directory: /home/tuser2 Login shell: /bin/sh Principal name: tuser2 Principal alias: tuser2 Email address: tuser2 UID: 1667000005 GID: 1667000005 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@vm-idm-022 ~]# kinit tuser2 Password for tuser2: Password expired. You must change it now. Enter new password: Enter it again: [root@vm-idm-022 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_1uzgMd2 Default principal: tuser2 Valid starting Expires Service principal 07/20/2018 13:58:38 07/21/2018 13:58:37 krbtgt/TESTRELM.TEST [root@vm-idm-022 ~]# kinit admin Password for admin: [root@vm-idm-022 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin Valid starting Expires Service principal 07/20/2018 13:58:46 07/21/2018 13:58:44 krbtgt/TESTRELM.TEST [root@vm-idm-022 ~]# ipa user-add --first=test3 --last=user3 --password User login [tuser3]: Password: Enter Password again to verify: ** Passwords do not match! ** Password: Enter Password again to verify: ------------------- Added user "tuser3" ------------------- User login: tuser3 First name: test3 Last name: user3 Full name: test3 user3 Display name: test3 user3 Initials: tu Home directory: /home/tuser3 GECOS: test3 user3 Login shell: /bin/sh Principal name: tuser3 Principal alias: tuser3 User password expiration: 20180720082913Z Email address: tuser3 UID: 1667000006 GID: 1667000006 Password: True Member of groups: ipausers Kerberos keys available: True Tested the bug for following scenario:
1. Create user in ipa and try logging using this user to IPA server UI.
#The user login fails. (See attachment)
# /var/log/httpd/error_log
[Fri Jul 20 17:27:49.980064 2018] [:error] [pid 32220] ipa: INFO: Starting new HTTP connection (1): vm-idm-022.testrelm.test
[Fri Jul 20 17:27:49.983463 2018] [:error] [pid 32220] ipa: INFO: Starting new HTTPS connection (1): vm-idm-022.testrelm.test
[Fri Jul 20 17:27:50.063126 2018] [:error] [pid 32218] ipa: INFO: tuser1: batch: i18n_messages(): SUCCESS
[Fri Jul 20 17:27:50.072164 2018] [:error] [pid 32218] ipa: INFO: tuser1: batch: config_show(): EmptyResult
[Fri Jul 20 17:27:50.077996 2018] [:error] [pid 32218] ipa: INFO: tuser1: batch: whoami(): SUCCESS
[Fri Jul 20 17:27:50.078669 2018] [:error] [pid 32218] ipa: INFO: tuser1: batch: env(None): SUCCESS
[Fri Jul 20 17:27:50.080664 2018] [:error] [pid 32218] ipa: INFO: tuser1: batch: dns_is_enabled(): SUCCESS
[Fri Jul 20 17:27:50.082208 2018] [:error] [pid 32218] ipa: INFO: tuser1: batch: trustconfig_show(): NotFound
[Fri Jul 20 17:27:50.083817 2018] [:error] [pid 32218] ipa: INFO: tuser1: batch: domainlevel_get(): SUCCESS
[Fri Jul 20 17:27:50.086117 2018] [:error] [pid 32218] ipa: INFO: tuser1: batch: ca_is_enabled(): SUCCESS
[Fri Jul 20 17:27:50.143084 2018] [:error] [pid 32218] ipa: INFO: Starting new HTTPS connection (1): vm-idm-022.testrelm.test
[Fri Jul 20 17:27:50.218757 2018] [:error] [pid 32218] ipa: INFO: tuser1: batch: vaultconfig_show(): EmptyResult
[Fri Jul 20 17:27:50.219216 2018] [:error] [pid 32218] ipa: INFO: [jsonserver_session] tuser1: batch(({u'params': ([], {}), u'method': u'i18n_messages'}, {u'params': ([], {}), u'method': u'config_show'}, {u'params': ([], {}), u'method': u'whoami'}, {u'params': ([], {}), u'method': u'env'}, {u'params': ([], {}), u'method': u'dns_is_enabled'}, {u'params': ([], {}), u'method': u'trustconfig_show'}, {u'params': ([], {}), u'method': u'domainlevel_get'}, {u'params': ([], {}), u'method': u'ca_is_enabled'}, {u'params': ([], {}), u'method': u'vaultconfig_show'}), version=u'2.229'): SUCCESS
[Fri Jul 20 17:27:50.246943 2018] [:warn] [pid 22043] [client 10.65.223.47:47012] failed to set perms (3140) on file (/var/run/ipa/ccaches/tuser1)!, referer: https://vm-idm-022.testrelm.test/ipa/ui/
[Fri Jul 20 17:27:50.278695 2018] [:error] [pid 32219] ipa: INFO: [jsonserver_session] tuser1: user_show/1(u'tuser1', all=True, version=u'2.229'): SUCCESS
2. Try logging using Admin user to IPA server UI.
# The login is successful
3. Try running command 'ipa user-find' / 'ipa host-find'
# no details are returned
[root@vm-idm-022 ~]# ipa user-find
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
[root@vm-idm-022 ~]# ipa user-find --all
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
Thus on the basis of above observations, marking the status of bug to 'ASSIGNED'.
Created attachment 1464930 [details]
Screenshot-user Login Failed
Screenshot-user Login Failed
Nikhil, I can't reproduce this issue, could you please provide access logs from DS after you try to login? Thanks! Version: ipa-server-4.6.4-3.el7.x86_64 389-ds-base-1.3.8.4-7.el7.x86_64 Verified the bug on the basis of below observations: 1. Verified that with latest build the issue mentioned in bug and comment#20 is not observed. 2. It is possible to modify password for user. 3. it is possible to set random password for user. 4. It is possible to install KRA on IPA-Master. 5. IPA-User and admin user can login to servr UI. 6. Verified that Sanity test for user-cli is successful and no regression error is observed. Thus on the basis of above observations, marking status of bug to 'VERIFIED'. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3127 |