Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 748110

Summary: At times setting password fails with "Confidentiality required: Operation requires a secure connection." errro.
Product: Red Hat Enterprise Linux 6 Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: dpal, erinn.looneytriggs, jgalipea, mkosek, nkinder, shaines, syeghiay
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-1.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:15:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 756082    

Description Gowrishankar Rajaiyan 2011-10-22 01:40:01 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.1.3-2.el6.x86_64

How reproducible:
Not always

Steps to Reproduce:
1. install ipa-server with dns 
2. Used the following script to create dnsrecords, hosts, hostgroups and hbacrule
#!/bin/bash

for j in {1..7}; do
	for i in {2..253}; do

		ipa user-add user$j$i --first=u --last=$j$i
		ipa dnsrecord-add lab.eng.pnq.redhat.com host$j$i --a-rec=1.1.$j.$i
		ipa host-add host$j$i.lab.eng.pnq.redhat.com
		ipa hostgroup-add hostgrp$j$i --desc="hostgrp$j$i" 
		ipa hostgroup-add-member hostgrp$j$i --hosts=host$j$i.lab.eng.pnq.redhat.com
		ipa hbacrule-add hbacrulehost$j$i
		ipa hbacrule-add-user hbacrulehost$j$i --users=user$j$i
		ipa hbacrule-add-service hbacrulehost$j$i --hbacsvcs=sshd
		ipa hbacrule-add-sourcehost hbacrulehost$j$i --hostgroups=hostgrp$j$i
	        ipa hbacrule-add-host hbacrulehost$j$i --hostgroups=hostgrp$j$i

	done
done

3. [root@bumblebee ~]# date
Fri Oct 21 18:49:34 EDT 2011
[root@bumblebee ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin.PNQ.REDHAT.COM

Valid starting     Expires            Service principal
10/21/11 18:46:16  10/22/11 18:46:14  krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM
10/21/11 18:46:28  10/22/11 18:46:14  HTTP/bumblebee.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
[root@bumblebee ~]# 

4. [root@bumblebee ~]# ipa user-add shanks
First name: s
Last name: r
-------------------
Added user "shanks"
-------------------
  User login: shanks
  First name: s
  Last name: r
  Full name: s r
  Display name: s r
  Initials: sr
  Home directory: /home/shanks
  GECOS field: s r
  Login shell: /bin/sh
  Kerberos principal: shanks.PNQ.REDHAT.COM
  UID: 2601283
  GID: 2601283
  Keytab: False
  Password: False
[root@bumblebee ~]# 

5. ipa  passwd shanks
New Password: Shanks1
Enter New Password again to verify: Shanks1
  
Actual results:
ipa: ERROR: Confidentiality required: Operation requires a secure connection.

Expected results:
password set successfully 

Additional info:

[root@bumblebee ~]# ipa -d  passwd shanks
ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: args=klist -V
ipa: DEBUG: stdout=Kerberos 5 version 1.9

ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
ipa: INFO: trying https://bumblebee.lab.eng.pnq.redhat.com/ipa/xml
ipa: DEBUG: Created connection context.xmlclient
New Password: 
Enter New Password again to verify: 
ipa: DEBUG: raw: passwd(u'shanks', u'********', u'********')
ipa: DEBUG: passwd(u'shanks.PNQ.REDHAT.COM', u'********', u'********')
ipa: INFO: Forwarding 'passwd' to server u'https://bumblebee.lab.eng.pnq.redhat.com/ipa/xml'
ipa: DEBUG: NSSConnection init bumblebee.lab.eng.pnq.redhat.com
ipa: DEBUG: connect_socket_family: host=bumblebee.lab.eng.pnq.redhat.com port=443 family=PR_AF_INET
ipa: DEBUG: connecting: 10.65.201.64:443
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
    Data:
        Version: 3 (0x2)
        Serial Number: 10 (0xa)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: CN=Certificate Authority,O=LAB.ENG.PNQ.REDHAT.COM
        Validity:
            Not Before: Thu Oct 20 14:33:01 2011 UTC
            Not After : Sun Oct 20 14:33:01 2013 UTC
        Subject: CN=bumblebee.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
                RSA Public Key:
                    Modulus:
                        c1:f4:ac:9a:15:1e:c2:c2:df:f3:07:1e:aa:c4:a1:b7:
                        36:91:a7:da:da:b6:15:07:3a:b1:a7:fe:ac:fb:fd:7a:
                        55:74:50:4c:45:66:06:6a:87:b4:aa:b4:8f:63:17:77:
                        de:e3:43:f6:6b:24:dd:29:38:b3:17:5d:e5:2e:ae:e8:
                        da:ae:52:6b:8c:4b:94:27:44:d3:b4:25:68:f2:a6:a9:
                        de:35:f8:3a:b2:55:ce:0d:cb:d8:92:d4:af:ad:a4:76:
                        a3:4c:2f:41:7c:b9:8d:f9:d3:38:12:05:38:2d:13:2e:
                        3f:2b:f9:bf:fd:91:c2:67:6b:76:92:1f:d5:b4:21:1f:
                        d5:a8:bd:86:ef:eb:cd:3b:cf:07:17:fe:0c:dd:73:3f:
                        74:59:84:89:b2:30:89:7a:1a:34:11:b7:31:63:cf:0f:
                        c3:e6:ae:6a:ca:9b:4c:35:28:64:a1:4c:76:60:fc:79:
                        99:80:64:b1:fd:55:06:99:b5:1c:6c:3c:ba:6a:bc:c1:
                        73:1f:81:c5:60:7a:8f:a9:b0:e7:b8:7c:fe:3c:b3:4b:
                        46:55:6f:73:82:85:87:0a:41:b6:59:75:50:42:ad:95:
                        d1:3f:ca:bd:2a:54:bd:4e:e1:23:89:98:40:d2:b4:60:
                        99:51:71:99:ef:32:c5:b9:b9:f1:19:6c:6f:ca:d8:7b
                    Exponent: 65537 (0x10001)
    Signed Extensions: (4)
        Name: Certificate Authority Key Identifier
        Critical: False
        Key ID:
            f2:43:f4:33:75:4a:6c:d2:75:b2:91:0f:70:5a:31:59:
            23:09:22:96
        Serial Number: None
        General Names: [0 total]

        Name: Authority Information Access
        Critical: False

        Name: Certificate Key Usage
        Critical: True
        Usages:
            Digital Signature
            Non-Repudiation
            Key Encipherment
            Data Encipherment

        Name: Extended Key Usage
        Critical: False
        Usages:
            TLS Web Server Authentication Certificate
            TLS Web Client Authentication Certificate

    Fingerprint (MD5):
        8d:b5:13:b8:0a:b9:c3:f9:a0:1c:b0:81:39:1f:0d:10
    Fingerprint (SHA1):
        e8:91:1c:b6:f9:31:42:b4:08:5c:73:45:30:97:37:8d:
        bf:cf:b3:5a
    Signature:
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Signature Data:
            65:d1:25:b6:e7:77:29:5d:2b:b5:76:b2:3f:85:18:3e:
            70:5d:f3:3e:dc:57:d7:8c:ca:97:f9:43:6d:0c:c7:bf:
            78:58:e6:47:9f:59:dd:45:7f:ab:c2:78:1d:42:91:a9:
            85:6d:e1:08:e0:61:d6:ee:66:90:00:2c:aa:56:98:b2:
            c6:c9:2c:87:22:61:d5:48:df:e8:df:d8:e5:44:17:2e:
            03:0f:06:64:15:fa:2c:62:20:02:bb:06:3a:f3:d4:a0:
            57:70:f2:32:fa:da:a8:06:75:35:7a:74:56:e4:3b:10:
            1b:93:5f:72:a3:75:2d:f9:a2:fd:8a:97:13:34:76:9b:
            dd:0f:81:62:db:8c:cb:ec:f2:07:90:50:3f:f1:17:cc:
            f5:8e:54:a3:78:31:f5:10:de:0a:0f:43:33:bd:83:a6:
            fd:7a:1d:9a:f9:b4:39:00:59:d1:63:83:df:83:79:c5:
            d4:4e:12:dc:09:d2:c6:07:cd:9c:a3:80:b0:fe:0d:37:
            3f:23:ad:6c:b3:5e:b1:d2:bf:a3:83:3c:8c:d3:32:2c:
            09:7b:52:26:7e:ee:31:4c:c9:f6:ac:1d:1b:40:5f:59:
            0f:85:d1:30:b5:bf:4c:90:56:68:f4:ea:4f:f4:97:aa:
            d5:d0:67:8b:3f:69:e6:b0:58:f8:af:22:4c:2d:35:ea
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=bumblebee.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM"
ipa: DEBUG: handshake complete, peer = 10.65.201.64:443
ipa: DEBUG: Caught fault 4203 from server https://bumblebee.lab.eng.pnq.redhat.com/ipa/xml: Confidentiality required: Operation requires a secure connection.
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Confidentiality required: Operation requires a secure connection.
Comment 2 Dmitri Pal 2011-10-22 23:15:47 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2021
Comment 3 Dmitri Pal 2011-10-24 15:27:10 UTC 
Can you please provide dirsrv logs to see what is going on?
Comment 5 Nathan Kinder 2011-10-24 18:08:56 UTC 
The problem is that the openldap libs on the system have the SASL maxssf property configured to 0.  This makes the negotiated SSF 0.

# find . | xargs grep maxssf ./*
/etc/openldap/ldap.conf:sasl_secprops   minssf=0,maxssf=0

We should not be setting these secprops in /etc/openldap/ldap.conf.
Comment 6 Rob Crittenden 2011-10-25 12:51:59 UTC 
I think we should probably set our own LDAP_OPT_X_SASL_SSF_MAX so we won't be affected by this bad configuration.
Comment 7 Rob Crittenden 2012-02-06 17:12:06 UTC 
Fixed upstream.

master: e6cdcad8df8712a5f452a74a3f3186146ef1e04b

ipa-2-2: e1b20be71d00e55cf2a3188222e6d76741602599

See the upstream trac ticket for a suggestion on testing.
Comment 9 Jenny Severance 2012-04-02 14:18:09 UTC 
verified :

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bug748110: At times setting password fails with Confidentiality required: Operation requires a secure connection. errro
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Verifies https://bugzilla.redhat.com/show_bug.cgi?id=748110
:: [   PASS   ] :: Backup /etc/openldap/ldap.conf
:: [   PASS   ] :: Running 'service httpd restart'
:: [   PASS   ] :: Running 'tcpdump -i lo -w /tmp/snoop &'
:: [   PASS   ] :: Running 'ipa user-show admin'
:: [   PASS   ] :: Running 'tcpdump -i lo -r /tmp/snoop -s 8192 -X > /tmp/bug748110-tcpdump.txt 2>&1'
:: [   PASS   ] :: File '/tmp/bug748110-tcpdump.txt' should not contain 'cn=users'
:: [   PASS   ] :: File '/tmp/bug748110-tcpdump.txt' should not contain 'cn=accounts'
:: [   PASS   ] :: Restoring /etc/openldap/ldap.conf
:: [   PASS   ] :: Running 'service httpd restart'
:: [   LOG    ] :: Duration: 6s
:: [   LOG    ] :: Assertions: 9 good, 0 bad
:: [   PASS   ] :: RESULT: bug748110: At times setting password fails with Confidentiality required: Operation requires a secure connection. errro

version :
ipa-server-2.2.0-7.el6.x86_64
Comment 11 Martin Kosek 2012-04-18 20:52:43 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 12 Rob Crittenden 2012-05-08 17:13:23 UTC 
*** Bug 769545 has been marked as a duplicate of this bug. ***
Comment 14 errata-xmlrpc 2012-06-20 13:15:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html