Error 634 when changing password
dan.d...@at-net.net
When attempting to change a user password using iManager, I receive
the error "(Error -634) The target server does not have a copy of what
the source server is requesting. Or, the source server has no objects
that match the request and has no referrals on which to search for the
object."
On all three servers . . .
ndsrepair reports time is good (-T), db is good (-R), replica ring is
good (-N)
ndstrace shows sync is good
slptool shows slp is good
Two of the servers have been in place for a few years and we have not
had any problems with passwords before (though, admittedly we may
never have changed a password before . . . but we certainly set them).
The third server runs GroupWise 7 and was added this year. We
probably have not attempted to change a password since this server was
added.
Other eDirectory changes happen with no problem.
iManger is 2.5.20051102.
Trying to change password in ConsoleOne reports a 632 error.
namusermod reports "Can't contact LDAP server." but I never used this
before today so I may have syntax wrong. Ports 389 and 636 are
listening on all three servers and we have no other LDAP issues (web
site authentication OK, etc).
id admin works demonstrating LUM is OK.
I know it looks like server communications, but we are just not seeing
eDirectory errors.
eDirectory on all servers is 10552.79.
Thanks in advance.
Dan
warper2
dan.d...@at-net.net
Good deduction. I was meaning to check that but got distracted. Yes,
server certificates (SSL CertificateDNS and SSL CertificateIP) were
expired for two of the servers. Deleted and re-created using
ConsoleOne, but still have the same error. Ran DSREPAIR -R on all
servers after creation of new certs and also re-booted both servers.
dan.d...@at-net.net
<atau...@no-mx.forums.novell.com> wrote:
>
>Can you post the output of the timesync and edir sync status ndsrepair
>runs please?
>
>Are all replicas in an ON state?
oesclt1:~ # ndsrepair -T
Repair utility for Novell eDirectory - 8.7.3 v10550.93
DS Version 10552.79 Tree name: PENTA_TREE
Server name: .oesclt1.chlt.penta
Size of /var/nds/ndsrepair.log = 33282 bytes.
Building server list
Please Wait...
Preparing Log File "/var/nds/ndsrepair.log"
Please Wait...
Collecting time synchronization and server status
Time synchronization and server status information
Start: Wednesday, February 18, 2009 08:12:37 PM Local Time
---------------------------+---------+---------+-----------+--------+-------
DS Replica Time Time is
Time
Server name Version Depth Source in sync
+/-
---------------------------+---------+---------+-----------+--------+-------
Processing server: .gw.chlt.penta
.gw.chlt.penta 10552.79 0 Non-NetWare Yes 0
Processing server: .oesws1.ws.penta
.oesws1.ws.penta 10552.79 0 Non-NetWare Yes 0
Processing server: .oesclt1.chlt.penta
.oesclt1.chlt.penta 10552.79 0 Non-NetWare Yes 0
---------------------------+---------+---------+-----------+--------+-------
Total errors: 0
NDSRepair process completed.
oesclt1:~ #
------------------------------------------------------------------------------------------------------
oesclt1:~ # ndsrepair -N
Repair utility for Novell eDirectory - 8.7.3 v10550.93
DS Version 10552.79 Tree name: PENTA_TREE
Server name: .oesclt1.chlt.penta
Size of /var/nds/ndsrepair.log = 34161 bytes.
This list shows each server found in the local database. Select a
server to display an options menu.
Building server list
Please Wait...
Total number of servers found = 3
SERVER NAME LOCAL STATUS
LOCAL ID
(1)oesclt1.chlt.penta Up 0000806B
(2)oesws1.ws.penta Up 0000806D
(3)gw.chlt.penta Up 00008211
------------------------------------------------------------------------------------------------------
oesclt1:~ # ndsrepair -E
Repair utility for Novell eDirectory - 8.7.3 v10550.93
DS Version 10552.79 Tree name: PENTA_TREE
Server name: .oesclt1.chlt.penta
Size of /var/nds/ndsrepair.log = 34161 bytes.
Preparing Log File "/var/nds/ndsrepair.log"
Please Wait...
Collecting replica synchronization status
Start: Wednesday, February 18, 2009 08:14:11 PM Local Time
Retrieve replica status
Partition: .[Root].
Replica on server: .gw.chlt.penta
Replica: .gw.chlt.penta 02-18-2009 20:02:32
Replica on server: .oesclt1.chlt.penta
Replica: .oesclt1.chlt.penta 02-18-2009 20:02:37
Replica on server: .oesws1.ws.penta
Replica: .oesws1.ws.penta 02-18-2009 20:02:37
All servers synchronized up to time: 02-18-2009 20:02:32
Finish: Wednesday, February 18, 2009 08:14:11 PM Local Time
Total errors: 0
NDSRepair process completed.
oesclt1:~ #
According to iManager, Replica View, all replicas are UP.
dan.d...@at-net.net
Password Policy that I forgot I had and don't know why I have. It is:
Universal Password
Options
Enable Universal Password true
Enable the Advanced Password Rules true
Remove the NDS password when setting Universal Password false
Synchronize NDS password when setting Universal Password true
Synchronize Simple Password when setting Universal Password false
Synchronize Distribution Password when setting Universal Password true
Allow user agent to retrieve password true
Verify whether existing passwords comply with the password policy
(verification occurs on login) false
Rules
Allow user to initiate password change true
Require unique passwords false
Minimum number of characters in password 4
Maximum number of characters in password 512
Allow numeric characters in password true
Disallow numeric as first character false
Disallow numeric as last character false
Allow special characters in the password true
Disallow special character as first character false
Disallow special character as last character false
Forgotten Password
Enabled: false
Policy Assignments
warper2
dan.d...@at-net.net
following against all servers:
#ldapsearch -h oesws1 -s base -D cn=admin,o=penta -W -Z -x
I setup ndstrace while trying to change a password, with "set
ndstrace=NMAS". It produces the following:
oesclt1:~ # ndstrace
5: >>ServerGet: message size=8 queue size 0
5: >>ClientPut: message size=8 queue Size 0
5: WhatNext
5: Successful login
5: <<ServerPut: message size=8 queue size 0
5: <<ServerPut: message size=4 queue size 8
5: <<ClientGet: message size=8 queue Size 12
5: <<ClientGet: message size=4 queue Size 4
5: >>ServerGet: message size=8 queue size 0
5: NDS Credential request
5: Returning NDS Credential size 454
5: Encrypted NDS Credential size 456
5: nmasEndSession: Login succeeded
5: Client Session Destroy Request
5: Local Session Cleared (Not Destroyed)
5: Server thread exited
ERROR: -1418 CCS_UnwrapKey:performX
ERROR: -1418 spmAgentSetPassword failed
ERROR: -1418 CCS_UnwrapKey:performX
ERROR: -1418 spmAgentSetPassword failed
Server: oesclt1
NDSTrace: quit
I also removed my universal password policy as it was not really
adding anything (we only have Novell clients, no special password
restrictions, etc).
Dan
dan.d...@at-net.net
<atau...@no-mx.forums.novell.com> wrote:
>
>OK, 1418 is likely a key problem, see TID 3833399. Use the new Linux
>version of SDIDIAG to check that all keys are valid and synced OK.
You are a genius! Shortly after the original two servers (oesclt1 and
oesws1) were installed, I re-installed the first server (oesclt1)
because I had originally installed using original OES1 media instead
of the then-newly-available OES1SP2 media and was having all kinds of
odd problems (oesws1 was installed using OES1SP2).
Because of this, the oesws1 server still had the SDKey for the
original installation in addition to the SDKey for the new
installation. The original key was not revoked.
using sdidiag and tkinfo.pl showed the problem and rd -t solved it.
Thanks again!
dan.d...@at-net.net
Actually I meant to say the then-newly-available OESSP1 media. The
third server, gw, was installed using OESSP2.
Thanks to all who responded!