The problem appeared after an update on 389-ds-base from 18.104.22.168-2 to 1.2.7-2, on Fedora 14 x86_64 . The ipa-getkeytab command failed with 'unable to set key' error. In the dirsrv error log, we found the following lines :
ipa_pwd_extop - encoding asn1 EncryptionKey failed
ipa_pwd_extop - encoding asn1 KrbSalt failed
ipa_pwd_extop - key encryption/encoding failed
Suspecting some update broke things, I did a fresh re-install, and had an issue in the ipa-server-install script (xxx replacing real values) :
Unable to set admin password Command '/usr/lib64/mozldap/ldappasswd -D cn=Directory Manager -w xxx -P /etc/dirsrv/slapd-xxx//cert8.db -ZZZ -s xxx uid=admin,cn=users,cn=accounts,dc=internal,dc=mynet,dc=com' returned non-zero exit status 1
The dirsrv error log was similar to the above.
The only workaround I found was to downgrade 389-ds-base to the previous working version (22.214.171.124-2), and things went back to normal.
What version of IPA is this?
Can you please provide more information about the IPA version you are using? Is it 1.2.x? If so then yes there might be some incompatibilities with latest 389. We are actively working on the v2 which is coming out pretty soon that will take advantage of the latest 389 changes. Sorry for the inconvenience.
It is last ipa-1.2.2-5 from updates repository.
Well, this is unfortunate but expected. Would you mind if I close the bug with WONTFIX? The issue will not be there when IPA v2 lands into Fedora.
We are seeing the same problem with IPA v2 code.
It may be happening because 1.2.7 switched to use openldap libraries internally.
If the investigation on the v2 code yields a simple patch we will respin ipa 1.2.2 packages for F14 too.
I'm seeing a similar (identical?) issue with a FreeIPA server upgraded from Fedora 13 to 14 when attempting to reset a user's password:
A database error occurred: Operations error: Failed to update password
The log file contains the following entries:
[16/Dec/2010:10:47:08 -0500] ipa_pwd_extop - encoding asn1 EncryptionKey failed
[16/Dec/2010:10:47:08 -0500] ipa_pwd_extop - encoding asn1 KrbSalt failed
[16/Dec/2010:10:47:08 -0500] ipa_pwd_extop - key encryption/encoding failed
I've also run into this issue while installing FreeIPA on Fedora14. Running 'ipa-server-install --debug' confirms the asn1 encoding issue mentioned above.
Looking forward to V2.
In order to reproduce the error, do I just have to run ipa-getkeytab?
Usually that's enough to make the ipa-pwd-extop plugin operate and drag in the mozldap libraries. This in turn should cause issues as there are symbol names that conflict with openldap libs.
ipa-1.2.2-6.fc14 has been submitted as an update for Fedora 14.
Created attachment 475857 [details]
Rich's backport patch to fix ldap libs issues
This is the patch Richm kindly provided for ipa 1.2
It is the backport of the patch we did for v 2.0
This should fix all password related issues lately seen on Fedora 14.
Please test the package and give karma, or note here in the bug, if it works for you.
ipa-1.2.2-6.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update ipa'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/ipa-1.2.2-6.fc14
ipa-1.2.2-6.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.