[Freeipa-users] ipa-client-install certutil failure
Hello, I am using IPA version 3.0 on server and if I want to install on ubuntu with ipa-client-install certutil in the end this command "/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt" fails. If I try it manually it says: certutil: function failed: The certificate/key database is in an old, unsupported format. I dont know for what I need nssdb. Is there a way how to recreate this nssdb file? Thank you Jakub Bittner ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install certutil failure
Jakub Bittner wrote: Hello, I am using IPA version 3.0 on server and if I want to install on ubuntu with ipa-client-install certutil in the end this command "/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt" fails. If I try it manually it says: certutil: function failed: The certificate/key database is in an old, unsupported format. I dont know for what I need nssdb. Is there a way how to recreate this nssdb file? Is it safe to assume that there is no NSS database in /etc/pki/nssdb (the certutil error msgs are horrible)? There should be 3 .db files, keyX.db, certY.db and secmod.db. To create an empty one do: certutil -N -d /etc/pki/nssdb You can set no password on this by pressing ENTER twice at the password prompts. These files are typically root:root mode 644. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install certutil failure
On 5.3.2013 14:43, Rob Crittenden wrote: > Jakub Bittner wrote: >> Hello, >> >> I am using IPA version 3.0 on server and if I want to install on ubuntu >> with ipa-client-install certutil in the end this command >> "/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i >> /etc/ipa/ca.crt" fails. >> >> If I try it manually it says: >> >> certutil: function failed: The certificate/key database is in an old, >> unsupported format. >> >> I dont know for what I need nssdb. Is there a way how to recreate this >> nssdb file? > > Is it safe to assume that there is no NSS database in /etc/pki/nssdb > (the certutil error msgs are horrible)? There should be 3 .db files, > keyX.db, certY.db and secmod.db. > > To create an empty one do: > > certutil -N -d /etc/pki/nssdb > > You can set no password on this by pressing ENTER twice at the password > prompts. > > These files are typically root:root mode 644. > > rob > Thank you for reply, I overcome this issue, but I have problem with changing password on Ubuntu. I can log in, I can see GID, UIG and so, but I can not change password. smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install certutil failure
Bittner Jakub wrote: On 5.3.2013 14:43, Rob Crittenden wrote: Jakub Bittner wrote: Hello, I am using IPA version 3.0 on server and if I want to install on ubuntu with ipa-client-install certutil in the end this command "/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt" fails. If I try it manually it says: certutil: function failed: The certificate/key database is in an old, unsupported format. I dont know for what I need nssdb. Is there a way how to recreate this nssdb file? Is it safe to assume that there is no NSS database in /etc/pki/nssdb (the certutil error msgs are horrible)? There should be 3 .db files, keyX.db, certY.db and secmod.db. To create an empty one do: certutil -N -d /etc/pki/nssdb You can set no password on this by pressing ENTER twice at the password prompts. These files are typically root:root mode 644. rob Thank you for reply, I overcome this issue, but I have problem with changing password on Ubuntu. I can log in, I can see GID, UIG and so, but I can not change password. How are you trying to change the password? What output do you get when it fails? Is there anything in system logs related to this? /var/log/secure, /var/log/messages. Does password change work on other clients (e.g. if you have a Fedora client, does that work?) rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install certutil failure
Dne 5.3.2013 16:06, Rob Crittenden napsal(a): Bittner Jakub wrote: On 5.3.2013 14:43, Rob Crittenden wrote: Jakub Bittner wrote: Hello, I am using IPA version 3.0 on server and if I want to install on ubuntu with ipa-client-install certutil in the end this command "/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt" fails. If I try it manually it says: certutil: function failed: The certificate/key database is in an old, unsupported format. I dont know for what I need nssdb. Is there a way how to recreate this nssdb file? Is it safe to assume that there is no NSS database in /etc/pki/nssdb (the certutil error msgs are horrible)? There should be 3 .db files, keyX.db, certY.db and secmod.db. To create an empty one do: certutil -N -d /etc/pki/nssdb You can set no password on this by pressing ENTER twice at the password prompts. These files are typically root:root mode 644. rob Thank you for reply, I overcome this issue, but I have problem with changing password on Ubuntu. I can log in, I can see GID, UIG and so, but I can not change password. How are you trying to change the password? What output do you get when it fails? Is there anything in system logs related to this? /var/log/secure, /var/log/messages. Does password change work on other clients (e.g. if you have a Fedora client, does that work?) rob I do this procedure: passwd Current Password: Password change failed. Server message: Password is too short Password not changed. passwd: Authentication Token Manipulation Error passwd: password unchanged In /var/log/auth.log is: Mar 5 16:12:56 b125-test-201 passwd[23994]: pam_unix(passwd:chauthtok): user "bitj" does not exist in /etc/passwd Mar 5 16:12:59 b125-test-201 passwd[23994]: pam_unix(passwd:chauthtok): user "bitj" does not exist in /etc/passwd Mar 5 16:12:59 b125-test-201 passwd[23994]: pam_sss(passwd:chauthtok): system info: [Generic error (see e-text)] Mar 5 16:12:59 b125-test-201 passwd[23994]: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Password is too short#012#012Password not changed. Mar 5 16:12:59 b125-test-201 passwd[23994]: pam_sss(passwd:chauthtok): Password change failed for user bitj: 20 (Authentication Token Manipulation Error) in wireshark: 15769.952337ipa.domain.czclient.domain.czKRB5 366KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED P.S. Generic error (see e-text). I dont know what or where the e-text is. Thank you, Jakub Bittner ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install certutil failure
On 03/05/2013 10:18 AM, Jakub Bittner wrote: > Dne 5.3.2013 16:06, Rob Crittenden napsal(a): >> Bittner Jakub wrote: >>> On 5.3.2013 14:43, Rob Crittenden wrote: Jakub Bittner wrote: > Hello, > > I am using IPA version 3.0 on server and if I want to install on > ubuntu > with ipa-client-install certutil in the end this command > "/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i > /etc/ipa/ca.crt" fails. > > If I try it manually it says: > > certutil: function failed: The certificate/key database is in an old, > unsupported format. > > I dont know for what I need nssdb. Is there a way how to recreate > this > nssdb file? Is it safe to assume that there is no NSS database in /etc/pki/nssdb (the certutil error msgs are horrible)? There should be 3 .db files, keyX.db, certY.db and secmod.db. To create an empty one do: certutil -N -d /etc/pki/nssdb You can set no password on this by pressing ENTER twice at the password prompts. These files are typically root:root mode 644. rob >>> >>> Thank you for reply, I overcome this issue, but I have problem with >>> changing password on Ubuntu. I can log in, I can see GID, UIG and so, >>> but I can not change password. >> >> How are you trying to change the password? What output do you get >> when it fails? >> >> Is there anything in system logs related to this? /var/log/secure, >> /var/log/messages. >> >> Does password change work on other clients (e.g. if you have a Fedora >> client, does that work?) >> >> rob >> > > > I do this procedure: > > passwd > Current Password: > Password change failed. Server message: Password is too short > > Password not changed. > passwd: Authentication Token Manipulation Error > passwd: password unchanged > > > In /var/log/auth.log is: > > Mar 5 16:12:56 b125-test-201 passwd[23994]: > pam_unix(passwd:chauthtok): user "bitj" does not exist in /etc/passwd > Mar 5 16:12:59 b125-test-201 passwd[23994]: > pam_unix(passwd:chauthtok): user "bitj" does not exist in /etc/passwd > Mar 5 16:12:59 b125-test-201 passwd[23994]: > pam_sss(passwd:chauthtok): system info: [Generic error (see e-text)] > Mar 5 16:12:59 b125-test-201 passwd[23994]: > pam_sss(passwd:chauthtok): User info message: Password change failed. > Server message: Password is too short#012#012Password not changed. > Mar 5 16:12:59 b125-test-201 passwd[23994]: > pam_sss(passwd:chauthtok): Password change failed for user bitj: 20 > (Authentication Token Manipulation Error) > It seems that the password you are trying to use does not meet the minimal password length requirements set on the server. > > > in wireshark: > > 15769.952337ipa.domain.czclient.domain.czKRB5 366 > KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > > > P.S. > Generic error (see e-text). I dont know what or where the e-text is. > > > Thank you, > Jakub Bittner > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users