Issue #1839: IPA services fail to start with "Failed to initialize credentials (Password has expired)" - freeipa

freeipa

#1839 IPA services fail to start with "Failed to initialize credentials (Password has expired)"

Closed: Fixed None Opened 12 years ago by jcholast.

Current IPA master failed to start for me while I was trying to test it today.

/var/log/messages:

Sep 22 10:18:41 vm-123 named[5038]: starting BIND 9.8.1-RedHat-9.8.1-1.fc15 -u named
Sep 22 10:18:41 vm-123 named[5038]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefi
x=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexec
dir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--with-pkcs11=/usr/lib64/pkcs11/PKCS11_API.so' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
Sep 22 10:18:41 vm-123 named[5038]: adjusted limit on open files from 4096 to 1048576
Sep 22 10:18:41 vm-123 named[5038]: found 1 CPU, using 1 worker thread
Sep 22 10:18:41 vm-123 named[5038]: using up to 4096 sockets
Sep 22 10:18:41 vm-123 named[5038]: loading configuration from '/etc/named.conf'
Sep 22 10:18:41 vm-123 named[5038]: using default UDP/IPv4 port range: [1024, 65535]
Sep 22 10:18:41 vm-123 named[5038]: using default UDP/IPv6 port range: [1024, 65535]
Sep 22 10:18:41 vm-123 named[5038]: listening on IPv6 interfaces, port 53
Sep 22 10:18:41 vm-123 named[5038]: listening on IPv4 interface lo, 127.0.0.1#53
Sep 22 10:18:41 vm-123 named[5038]: listening on IPv4 interface eth0, 10.16.78.123#53
Sep 22 10:18:41 vm-123 named[5038]: generating session key for dynamic DNS
Sep 22 10:18:41 vm-123 named[5038]: sizing zone task pool based on 6 zones
Sep 22 10:18:41 vm-123 named[5038]: Failed to init credentials (Password has expired)
Sep 22 10:18:41 vm-123 named[5038]: loading configuration: failure
Sep 22 10:18:41 vm-123 named[5038]: exiting (due to fatal error)
Sep 22 10:18:41 vm-123 systemd[1]: named.service: control process exited, code=exited status=7
Sep 22 10:18:41 vm-123 systemd[1]: Unit named.service entered failed state.
Sep 22 10:18:41 vm-123 systemd[1]: Reloading.
Sep 22 10:18:44 vm-123 systemd[1]: Reloading.
Sep 22 10:18:44 vm-123 sssd: Starting up
Sep 22 10:18:45 vm-123 sssd[be[idm.lab.bos.redhat.com]]: Starting up
Sep 22 10:18:45 vm-123 sssd[nss]: Starting up
Sep 22 10:18:45 vm-123 sssd[pam]: Starting up
Sep 22 10:18:45 vm-123 systemd[1]: Reloading.
Sep 22 10:18:45 vm-123 systemd[1]: Reloading.
Sep 22 10:18:53 vm-123 systemd[1]: kadmin.service: main process exited, code=exited, status=2
Sep 22 10:18:54 vm-123 [sssd[ldap_child[5475]]]: Failed to initialize credentials using keytab [(null)]: Password has expired. Unable to create GSSAPI-encrypted LDAP connection.
Sep 22 10:18:54 vm-123 named[5476]: starting BIND 9.8.1-RedHat-9.8.1-1.fc15 -u named
Sep 22 10:18:54 vm-123 named[5476]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--with-pkcs11=/usr/lib64/pkcs11/PKCS11_API.so' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
Sep 22 10:18:54 vm-123 named[5476]: adjusted limit on open files from 4096 to 1048576
Sep 22 10:18:54 vm-123 named[5476]: found 1 CPU, using 1 worker thread
Sep 22 10:18:54 vm-123 named[5476]: using up to 4096 sockets
Sep 22 10:18:54 vm-123 named[5476]: loading configuration from '/etc/named.conf'
Sep 22 10:18:54 vm-123 named[5476]: using default UDP/IPv4 port range: [1024, 65535]
Sep 22 10:18:54 vm-123 named[5476]: using default UDP/IPv6 port range: [1024, 65535]
Sep 22 10:18:54 vm-123 named[5476]: listening on IPv6 interfaces, port 53
Sep 22 10:18:54 vm-123 named[5476]: listening on IPv4 interface lo, 127.0.0.1#53
Sep 22 10:18:54 vm-123 named[5476]: listening on IPv4 interface eth0, 10.16.78.123#53
Sep 22 10:18:54 vm-123 named[5476]: generating session key for dynamic DNS
Sep 22 10:18:54 vm-123 named[5476]: sizing zone task pool based on 6 zones
Sep 22 10:18:54 vm-123 named[5476]: Failed to init credentials (Password has expired)
Sep 22 10:18:54 vm-123 named[5476]: loading configuration: failure
Sep 22 10:18:54 vm-123 named[5476]: exiting (due to fatal error)

simo commented 12 years ago

This is worrying:

 Sep 22 10:18:54 vm-123 [sssd[ldap_child[5475]]]: Failed to initialize
 credentials using keytab [(null)]: Password has expired. Unable to create
 GSSAPI-encrypted LDAP connection.

Can you reproduce ?

jcholast commented 12 years ago

I've tried installing IPA several times on two different machines, always with the same result. The system was fully updated with packages from updates-testing and ipa-devel.

simo commented 12 years ago

It seem I cannot reproduce it with my dev tree that has all the ipa-kdb patches I create lately.

Checking my tree the only patch not in master yet at this moment seem to be my patch for bug #1820

Can you re-test with latest master and that patch and tell me if you can still reproduce ?

jcholast commented 12 years ago

I'm still getting the error after applying the patch.

Just for the record, current ipa-2-1 works fine.

simo commented 12 years ago

Ok, nevermind reproduced here after another restart, odd.
I will investigate and fix.

mkosek commented 12 years ago

master: dfc704d

mkosek commented 10 years ago

Merge KDC LDAP components to one.

Metadata Update from @jcholast:
- Issue assigned to simo
- Issue set to the milestone: FreeIPA 3.0 Trust Effort - 2011/09

7 years ago

Metadata

Assignee

simo

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 3.0 Trust Effort - 2011/09

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

KDC LDAP driver

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#1839 IPA services fail to start with "Failed to initialize credentials (Password has expired)" Closed: Fixed None Opened 12 years ago by jcholast.

Metadata

#1839 IPA services fail to start with "Failed to initialize credentials (Password has expired)"

Closed: Fixed None Opened 12 years ago by jcholast.