| Bug Number | Description | Workaround |
|---|---|---|
| None |
If you use password authentication (no GSSAPI authentication, no ticket on the client) with a new user or a user whose password has expired, you need to enable Challenge-Response authentication. Otherwise, the password changing dialog will not display.
This is not enabled by default because some older
SSH clients may not support Challenge-Response authentication, and it is needed only if the password is expired.
|
Set ChallengeResponseAuthentication to "yes" in /etc/ssh/sshd_config.
|
| 432865 |
Inability to handle enforced password changes using krb5-auth-dialog. This has been observed as a result of an uninstall and reinstall, but may also occur at other times.
If you receive a
Kerberos pop-up window prompting for a log-in renewal, and this occurs at the same time that a password change is required, the Kerberos dialog may not be able to handle the password change. It may continue to prompt for further logins and password changes.
|
Log in and change the password using the kinit command from the command line.
|
| 435152 |
Renaming groups may lead to problems with
ACIs.
If you rename a group used in an
ACI, the ACI itself is not updated, the result being that the group will fall out of the ACI scope.
IPA does not currently support per-user
ACIs, so this issue only affects groups.
| Ensure that any changes to group names are reflected in IPA Delegations. |
| 441005 |
Unsuccessful password changes can produce misleading error messages.
The default IPA password policy specifies a minimum password lifetime of one hour. If you try to change the password before that time has passed, the operation will fail. The error message, however, could be something like the following:
"User password change failed: A database error occurred.
This occurs because python-ldap does not provide support for
ldap_extended_operation or ldap_parse_extended_result, so there is no way of returning a more precise error message.
| None at this time. |
| 441400 |
Delegations cause the Edit button to appear on all users for anyone in the People in Group group, regardless of actual, specific permissions.
Any user who belongs to a group that can edit other users based on delegations will also be able to edit all other users. This may not reflect any actual permissions to edit any specific user and will come into effect even if there are no users in the target group.
| None at this time. |
| 441579 | On 64-bit Red Hat Enterprise Linux 5.2 systems, the krb5libs package is not automatically updated when the ipa-server package is installed. | Before you install the ipa-server package, manually update the krb5libs package. |
| 442454 | There is currently no automated way to cleanly remove an IPA replica and all configured components. |
Run the ipa-server-install command, and when it detects the existing Directory Server instance, press Enter to remove it, and then abort the installation. You still need to remove the remainder of the files that were configured during the installation process, mainly under /etc/dirsrv/
|
| 443607 |
This has been observed on a
Fedora&7 client, but may also occur on other clients.
When the current
Kerberos ticket expires, the normal Kerberos "Renew password" dialog appears, but if you do not renew the password (for example, the machine is running overnight), then multiple instances of this dialog can appear.
| It is understood that you only need to provide the password for one of the dialogs. The others can be dismissed. |
| 450613 |
IPA does not handle group names with spaces properly.
If you create a group that contains any spaces in its name, for example "Group Name", you will see a "Group show failed: Group%20Name not found" error when you try to save the group.
The group was, in fact, created successfully and you can search for and find the group, add members to it and work with it normally. Each time you save the group, however, you will see the same error message.
| No workaround at present, however due to the mixed environment in which Red Hat Enterprise IPA is expected to operate, best practice recommends that you not create group names that contain spaces. |
| 450941 |
The Directory Server installation does not correctly detect ports that are already in use.
The Directory Server installer checks to see if the requested ports are in use before continuing the installation (Util.pm::portAvailable). It does not set SO_REUSEADDR so it incorrectly detects as in-use ports that otherwise should be available.
| If you receive an error message stating that required ports are unavailable, and you know that they are available, wait a couple of minutes and retry the installation. |
| 451014 |
Directory name error in
ipa-server-certinstall command.
The
ipa-server-certinstall -d command assumes that the CA certificate is located the /etc/dirsrv/slapd-DOMAIN.COM/ directory. The IPA installation routines, however, install it in /etc/dirsrv/slapd-DOMAIN-COM/, the difference being the use of a dash rather than a dot as a separator.
|
Do not use the
ipa-server-certinstall command at this time.
Refer to Section 2.1, “Manually Replacing Self-Signed Certificates” for instructions on how to manually install certificates.
|
| 451116 |
On a master-replica setup, the configuration is not yet by RANGE. It is possible for the master and any replicas to add new users with the same userid.
Red Hat Enterprise IPA uses a plugin to solve the problem of creating unique IDs across multiple masters. It does this by ensuring that each master chooses from a different pool of IDs. This is yet to be worked into the replica creation code, and so at present masters and replicas allocate userids from the same pool. Further, the plugin does not check if the ID is already in use before allocating it to a new user.
|
Currently all servers try to assign IDs from 1101 up to 1,000,000,000. Before you start to use a replica, you need to change the DNA plugin configuration to use a different set of ranges. Refer to Section 2.2, “Modifying the DNA Plugin Configuration” for instructions on how to update the DNA plugin configuration.
|
| 451318 |
The
ipa-moduser -f command may not change the appearance of the user's first name when shown as the full name.
If you use the
ipa-finduser -a command to search for and display a user's details after you have changed their first name, the value of First Name should be correct, but the value of Full Name might still appear as the original name.
|
At present the only workaround is to change
Fullname whenever you change the First Name or Last Name values.
|
| 451358 | The potential exists for Directory Server to crash if you nest groups too deeply. This can occur if you attempt to nest groups more than 19 or 20 deep. | None at this time. The current recommendation is to not nest groups more than 16 levels deep. |
| 451376 |
For large numbers of groups, searches may suffer from poor performance and may also return incorrect results. This appears to be an index-related issue.
| None at this time. |
# cd /etc/dirsrv/slapd-INSTANCE
# mkdir backup
# mv *.db backup
# certutil -N -d . f pwdfile.txt
# pk12util -i <filename> -d .
# certutil -A -d . -n "CA Certificate" -t CT,, -a < <ca_filename>
# certutil -M -d . -t CT,, -n "CA certificate"
# certutil -L -d .
# cd /etc/httpd/alias
# mkdir backup
# mv *.db backup
# certutil -N -d .
password.conf file.
# pk12util -i <filename> -d .
# certutil -L -d .
Server-Cert u,u,u CA certificate c,c,c
NSSNickname in /etc/httpd/conf.d/nss.conf to the same value as the server certificate nickname. If the nickname includes any spaces, you need to enclose the entire nickname in spaces for Apache to process it correctly.
nsSSLPersonalitySSL in the entry cn=RSA,cn=encryption,cn=config needs to be set to the nickname.
/etc/httpd/alias should be: root:apache mode 0640
/etc/dirsrv/slapd-INSTANCE should be DSUSER:root mode 0600