Saied W. Andalib
2007-Jun-25 19:46 UTC
[Fedora-directory-users] NSS initialization failed...
I''m trying to install the FDS-1.0.4 on RHEL-5. The setup fails with the following error: [slapd-dirs]: [25/Jun/2007:14:37:25 -0500] - SSL alert: Security Initialization: NSS initialization failed (Netscape Portable Runtime error -8174 - security library: bad database.): path: /opt/fedora-ds/alias/, certdb prefix: slapd-dirs-, keydb prefix: slapd-dirs-. [slapd-dirs]: [25/Jun/2007:14:37:25 -0500] - ERROR: NSS Initialization Failed. error:[25/Jun/2007:14:37:25 -0500] - ERROR: NSS Initialization\nFailed. system_errno:2 After which it hangs. Even when I wipe out the entire fedora-ds directory and re-install the whole thing, the above setup error reappears again! It used to work fine before, but, once it got stuck and I had to kill it, I''m getting that error message ever since. I''m wondering if some files somewhere outside the fedora-ds directory tree has changed... Help would be appreciated! Thanks.
Richard Megginson
2007-Jun-25 20:46 UTC
Re: [Fedora-directory-users] NSS initialization failed...
Saied W. Andalib wrote:> I''m trying to install the FDS-1.0.4 on RHEL-5. The setup fails with > the following error: > > > > > [slapd-dirs]: [25/Jun/2007:14:37:25 -0500] - SSL alert: Security > Initialization: NSS initialization failed (Netscape Portable Runtime > error -8174 - security library: bad database.): > path: /opt/fedora-ds/alias/, certdb prefix: slapd-dirs-, keydb prefix: > slapd-dirs-. [slapd-dirs]: [25/Jun/2007:14:37:25 -0500] - ERROR: NSS > Initialization Failed. error:[25/Jun/2007:14:37:25 -0500] - ERROR: NSS > Initialization\nFailed. system_errno:2 > >ls -al /opt/fedora-ds/alias> > > After which it hangs. Even when I wipe out the entire fedora-ds > directory and re-install the whole thing, the above setup error > reappears again! It used to work fine before, but, once it got stuck > and I had to kill it, I''m getting that error message ever since. I''m > wondering if some files somewhere outside the fedora-ds directory tree > has changed... > > Help would be appreciated! > > Thanks. > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Saied W. Andalib
2007-Jun-26 14:15 UTC
[Fedora-directory-users] Re: Recurring NSS initialization failure...
After the clean re-installation, I tried to do the setup, but, it fails with the same error: [slapd-dirs]: [26/Jun/2007:09:03:00 -0500] - SSL alert: Security Initialization: NSS initialization failed (Netscape Portable Runtime error -8174 - security library: bad database.): path: /opt/fedora-ds/alias/, certdb prefix: slapd-dirs-, keydb prefix: slapd-dirs-. [slapd-dirs]: [26/Jun/2007:09:03:00 -0500] - ERROR: NSS Initialization Failed. error:[26/Jun/2007:09:03:00 -0500] - ERROR: NSS Initialization\nFailed. system_errno:2 Where it hangs. The alias directory has only one entry: [root@dirs fedora-ds]# ls -al alias/ total 268 drwxr-xr-x 2 fedora-ds fedora-ds 4096 Jun 13 12:01 . drwxr-xr-x 15 root root 4096 Jun 26 09:03 .. -rwxr-xr-x 1 root root 247376 Nov 8 2006 libnssckbi.so It didn''t create the other cert and key files under alias directory. Also, the admin-serv/config directory is empty! That NSS Initialization failure (-8174) with "bad database" error prevents the setup from doing anything. Since, this is a fresh installation, I think the bad database error is probably somewhere outside the /opt/fedora-ds tree...! I''m only guessing at this point;-) Any ideas as to where to look for any clues?!!!! SWA
Richard Megginson
2007-Jun-26 14:30 UTC
Re: [Fedora-directory-users] Re: Recurring NSS initialization failure...
Saied W. Andalib wrote:> After the clean re-installation, I tried to do the setup, but, it fails > with the same error: > > > > [slapd-dirs]: [26/Jun/2007:09:03:00 -0500] - SSL alert: Security > Initialization: NSS initialization failed (Netscape Portable Runtime > error -8174 - security library: bad database.): > path: /opt/fedora-ds/alias/, certdb prefix: slapd-dirs-, keydb prefix: > slapd-dirs-. [slapd-dirs]: [26/Jun/2007:09:03:00 -0500] - ERROR: NSS > Initialization Failed. error:[26/Jun/2007:09:03:00 -0500] - ERROR: NSS > Initialization\nFailed. system_errno:2 >Try this as root: cd /opt/fedora-ds/alias ; su fedora-ds -c "../shared/bin/certutil -N -d . -P slapd-dirs-"> > > Where it hangs. The alias directory has only one entry: > > > > [root@dirs fedora-ds]# ls -al alias/ > total 268 > drwxr-xr-x 2 fedora-ds fedora-ds 4096 Jun 13 12:01 . > drwxr-xr-x 15 root root 4096 Jun 26 09:03 .. > -rwxr-xr-x 1 root root 247376 Nov 8 2006 libnssckbi.so > > > > It didn''t create the other cert and key files under alias directory. > Also, the admin-serv/config directory is empty! >Admin server depends on directory server to complete setup.> That NSS Initialization failure (-8174) with "bad database" error > prevents the setup from doing anything. Since, this is a fresh > installation, I think the bad database error is probably somewhere > outside the /opt/fedora-ds tree...!No, it''s not. There is something really weird going on. The system error above is 2, which is #define ENOENT 2 /* No such file or directory */ I''m not sure what file or directory it is complaining about. The directory server is supposed to create the key/cert db if they do not exist. The directory names and permissions all look correct.> I''m only guessing at this point;-) > Any ideas as to where to look for any clues?!!!! > > SWA > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Saied W. Andalib
2007-Jun-26 15:31 UTC
[Fedora-directory-users] Re: Recurring NSS initialization failure...
Richard, Thanks for responding. I did the su fedora-ds, and got the following: [root@dirs alias]# ls libnssckbi.so [root@dirs alias]# su fedora-ds -c "../shared/bin/certutil -N -d . -P slapd-dirs-" ../shared/bin/certutil: line 50: cd: ../shared/bin/../lib: Not a directory ../shared/bin/certutil: line 57: cd: /opt/fedora-ds/alias: Not a directory Error opening input terminal for read [root@dirs alias]# [root@dirs alias]# ls ../shared/bin/../lib libfreebl3.chk libicudata.so.34 libicuuc.so.34 libnspr4.so libplc4.so libprldap60.so libsoftokn3.chk libssl3.so libfreebl3.so libicui18n.so.34 libldap60.so libnss3.so libplds4.so libsmime3.so libsoftokn3.so libssldap60.so The ../shared/bin/../lib directory seems fine! SWA
Richard Megginson
2007-Jun-26 15:41 UTC
Re: [Fedora-directory-users] Re: Recurring NSS initialization failure...
Saied W. Andalib wrote:> Richard, > > Thanks for responding. I did the su fedora-ds, and got the following: > > > > > [root@dirs alias]# ls > libnssckbi.so > > [root@dirs alias]# su fedora-ds -c "../shared/bin/certutil -N -d . -P > slapd-dirs-" > > ../shared/bin/certutil: line 50: cd: ../shared/bin/../lib: > Not a directory ../shared/bin/certutil: line 57: > cd: /opt/fedora-ds/alias: Not a directory Error opening input terminal > for read >It''s looking for a password - create a file with a dummy password e.g. /tmp/pwd.txt then pass that to certutil: su fedora-ds -c "../shared/bin/certutil -N -d . -P slapd-dirs- -f /tmp/pwd.txt" Make sure fedora-ds can read /tmp/pwd.txt> [root@dirs alias]# > [root@dirs alias]# ls ../shared/bin/../lib > libfreebl3.chk libicudata.so.34 libicuuc.so.34 libnspr4.so > libplc4.so libprldap60.so libsoftokn3.chk libssl3.so > libfreebl3.so libicui18n.so.34 libldap60.so libnss3.so > libplds4.so libsmime3.so libsoftokn3.so libssldap60.so > > > > > The ../shared/bin/../lib directory seems fine! > > > SWA > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Saied W. Andalib
2007-Jun-26 16:02 UTC
[Fedora-directory-users] Re: Recurring NSS initialization failure...
The "su fedora-ds" with the "/tmp/pwd.txt" gave the same errors: [root@dirs alias]# su fedora-ds -c "../shared/bin/certutil -N -d . -P slapd-dirs- -f /tmp/pwd.txt" ../shared/bin/certutil: line 50: cd: ../shared/bin/../lib: Not a directory ../shared/bin/certutil: line 57: cd: /opt/fedora-ds/alias: Not a directory [root@dirs alias]#ll /tmp/pwd.txt -rw-r--r-- 1 root root 52 Jun 26 10:55 /tmp/pwd.txt [root@dirs alias]# ll total 364 -rwxr-xr-x 1 root root 247376 Nov 8 2006 libnssckbi.so -rw------- 1 fedora-ds fedora-ds 16384 Jun 26 10:56 secmod.db -rw------- 1 fedora-ds fedora-ds 65536 Jun 26 10:56 slapd-dirs-cert8.db -rw------- 1 fedora-ds fedora-ds 16384 Jun 26 10:56 slapd-dirs-key3.db Something very unusual going on....! SWA
Richard Megginson
2007-Jun-26 16:14 UTC
Re: [Fedora-directory-users] Re: Recurring NSS initialization failure...
Saied W. Andalib wrote:> The "su fedora-ds" with the "/tmp/pwd.txt" gave the same errors: > > > > [root@dirs alias]# su fedora-ds -c "../shared/bin/certutil -N -d . -P > slapd-dirs- -f /tmp/pwd.txt" > > ../shared/bin/certutil: line 50: cd: ../shared/bin/../lib: Not a > directory > ../shared/bin/certutil: line 57: cd: /opt/fedora-ds/alias: Not a > directory > > > [root@dirs alias]#ll /tmp/pwd.txt -rw-r--r-- 1 root root 52 Jun 26 > 10:55 /tmp/pwd.txt > > [root@dirs alias]# ll > total 364 > -rwxr-xr-x 1 root root 247376 Nov 8 2006 libnssckbi.so > -rw------- 1 fedora-ds fedora-ds 16384 Jun 26 10:56 secmod.db > -rw------- 1 fedora-ds fedora-ds 65536 Jun 26 10:56 slapd-dirs-cert8.db > -rw------- 1 fedora-ds fedora-ds 16384 Jun 26 10:56 slapd-dirs-key3.db > > > > Something very unusual going on....! >Can you start the directory server now?> SWA > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Saied W. Andalib
2007-Jun-26 16:25 UTC
Re: [Fedora-directory-users] Re: Recurring NSS initialization failure...
The directory server gives the same NSS error: [root@dirs fedora-ds]# ./slapd-dirs/start-slapd [26/Jun/2007:11:24:45 -0500] - SSL alert: Security Initialization: NSS initialization failed (Netscape Portable Runtime error -8174 - security library: bad database.): path: /opt/fedora-ds/alias/, certdb prefix: slapd-dirs-, keydb prefix: slapd-dirs-. [26/Jun/2007:11:24:45 -0500] - ERROR: NSS Initialization Failed. SWA
Richard Megginson
2007-Jun-26 22:15 UTC
Re: [Fedora-directory-users] Re: Recurring NSS initialization failure...
Saied W. Andalib wrote:> The directory server gives the same NSS error: > > > [root@dirs fedora-ds]# ./slapd-dirs/start-slapd > [26/Jun/2007:11:24:45 -0500] - SSL alert: Security Initialization: NSS > initialization failed (Netscape Portable Runtime error -8174 - security > library: bad database.): path: /opt/fedora-ds/alias/, certdb prefix: > slapd-dirs-, keydb prefix: slapd-dirs-. [26/Jun/2007:11:24:45 -0500] - > ERROR: NSS Initialization Failed. >At this point I''m completely baffled. My suggestion would be to start the server using strace - edit the start-slapd shell script (make a copy of it first) and use strace -o /tmp/trace.out ns-slapd ..... I don''t know why this is still failing, even after you have created the key and cert dbs.> > > SWA > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Saied W. Andalib
2007-Jun-28 16:11 UTC
[Fedora-directory-users] Recurring NSS initialization failure...
Thanks Richard for replying. I actually did the strace on slapd a while ago and it went through with a lot of info and at the end it put out the same NSS error message! One thing I noticed was that when I did a clean re-installation followed by the setup, when I picked the user and group root instead of fedora-ds, the start-slapd started as root without any problem! However, the httpd wouldn''t start. If however, during the setup, I pick any other non-root user, say, fedora-ds for the directory server, the setup would fail with NSS error, at that point it would hang! If I do the setup as fedora-ds user, it goes through fine. Everything works ok. So, after that, I did a clean re-installation as root, and did the setup as recommended by the documentation -- the directory server runs as user/group fedora-ds as it supposed to. So, now, the directory server runs fine. The admin-server, however gives the PSET failure error. On the other hand, if I start the admin server as fedora-ds user: (e.g., su fedora-ds ./start-admin), then, it starts without any problem! This is one of those weird cases that has been baffling! So, at this point I''m not sure the cause of the PSET error. On a side note, I had similar question asked by Thomas King on how to create users outside the NetscapeRoot branch via the "User and Group" tab in the management Console. I noticed you mentioned selecting "Change Directory" after going to the user menu. I tried that, but, I don''t seem to have the "Change Directory" option anywhere on the menu. I''m runing FDS-1.0.4 on RHEL5. Thanks, SWA SWA
Richard Megginson
2007-Jun-28 16:23 UTC
Re: [Fedora-directory-users] Recurring NSS initialization failure...
Saied W. Andalib wrote:> Thanks Richard for replying. > I actually did the strace on slapd a while ago and it went through with > a lot of info and at the end it put out the same NSS error message!There might be a clue buried in the strace output that would shed some light on this problem.> One > thing I noticed was that when I did a clean re-installation followed by > the setup,When you say "clean re-installation" do you mean rm -rf /opt/fedora-ds?> when I picked the user and group root instead of fedora-ds, > the start-slapd started as root without any problem! However, the httpd > wouldn''t start. If however, during the setup, I pick any other non-root > user, say, fedora-ds for the directory server, the setup would fail > with NSS error, at that point it would hang! > > If I do the setup as fedora-ds user, it goes through fine. Everything > works ok. So, after that, I did a clean re-installation as root, and did > the setup as recommended by the documentation -- the directory server > runs as user/group fedora-ds as it supposed to. So, now, the directory > server runs fine. The admin-server, however gives the PSET failure > error. On the other hand, if I start the admin server as fedora-ds user: > (e.g., su fedora-ds ./start-admin), then, it starts without any problem! > This is one of those weird cases that has been baffling! > So, at this point I''m not sure the cause of the PSET error. >Probably a permissions problem in admin-serv/config - local.conf, adm.conf, admpw, and console.conf must be owned by the admin server user and must be writable. The directory admin-serv/config must be owned by the admin server user and be writable.> On a side note, I had similar question asked by Thomas King on how to > create users outside the NetscapeRoot branch via the "User and Group" > tab in the management Console. I noticed you mentioned selecting > "Change Directory" after going to the user menu. I tried that, but, I > don''t seem to have the "Change Directory" option anywhere on the menu. > I''m runing FDS-1.0.4 on RHEL5. >?> Thanks, > > SWA > > > SWA > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Saied W. Andalib
2007-Jun-28 20:32 UTC
[Fedora-directory-users] Creating new unix/posix user accounts
I wonder if it''s possible to create new unix/posix user accounts on the management Console via the "Users and Groups" Tab. It seems in order to create a new user account from the drop down menu at the bottom of the Console, the only allowable "dn:" entries are under the o=NetscapeRoot branch. Even when new root suffixes are created, they never seem to show up in the "Users and Groups"->"Create User" menu options. SWA