Tag: Computer access control

ERROR: -16049Failed to retrieve data in login config with tag: ChallengeResponseQuestions

ERROR: -16060Failed to decrypt password history value

ERROR: -16060Failed check password for CN=ATS004.OU=Users.OU=Internal.O=UMB

-160490xFFFFC14F NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND The requested attribute does notexist on the specified object.

-160600xFFFFC144 NMAS_E_CRYPTO_FAILURE If you upgrade your eDirectory server to 9.2from any previous version and the tree has any users with Universal Passwordencrypted with DES tree key, then for such users login or password change mightfail with this error.

NOTE2: In some cases a customer may be on a pure 9.x environment and want to upgrade to a 3DES key. eDirectory 9.x’s sdidiag will only generate AES tree keys. However, there is a manual workaround:

Option 1: Install an eDirectory 8.8 SP8 server into the tree, give it a copy of root and use sdidiag from there to generate the key.

Option 2: Force a server holding root to think there are no tree keys.

a. On every server holding a copy of root perform: ndstrace -c “unload niciext”

b. On one of these servers, move the /var/opt/novell/nici/0/nicisdi.key and /var/opt/novell/nici/0/backup to a safe place.

c. For that same server remove all it’s rights to the W0 object.

d. Have two shells open: one to run ndstrace with the +nici flag and another to reload niciext on that same server: ndstrace -c “load niciext”.

You should see in the shell running ndstrace that no tree key is found and a new 3DES key is created. Give the server RW and all attribute rights to the W0 object and unload, reload niciext once again. Now load niciext on the other servers holding root. At this point the old 56 bit and the new 3DES key will be synch’d across the servers.

ERROR: -16049Failed to retrieve data in login config with tag: ChallengeResponseQuestions

ERROR: -16060Failed to decrypt password history value

ERROR: -16060Failed check password for CN=ATS004.OU=Users.OU=Internal.O=UMB

-160490xFFFFC14F NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND The requested attribute does notexist on the specified object.

-160600xFFFFC144 NMAS_E_CRYPTO_FAILURE If you upgrade your eDirectory server to 9.2from any previous version and the tree has any users with Universal Passwordencrypted with DES tree key, then for such users login or password change mightfail with this error.

NOTE2: In some cases a customer may be on a pure 9.x environment and want to upgrade to a 3DES key. eDirectory 9.x’s sdidiag will only generate AES tree keys. However, there is a manual workaround:

Option 1: Install an eDirectory 8.8 SP8 server into the tree, give it a copy of root and use sdidiag from there to generate the key.

Option 2: Force a server holding root to think there are no tree keys.

a. On every server holding a copy of root perform: ndstrace -c “unload niciext”

b. On one of these servers, move the /var/opt/novell/nici/0/nicisdi.key and /var/opt/novell/nici/0/backup to a safe place.

c. For that same server remove all it’s rights to the W0 object.

d. Have two shells open: one to run ndstrace with the +nici flag and another to reload niciext on that same server: ndstrace -c “load niciext”.

You should see in the shell running ndstrace that no tree key is found and a new 3DES key is created. Give the server RW and all attribute rights to the W0 object and unload, reload niciext once again. Now load niciext on the other servers holding root. At this point the old 56 bit and the new 3DES key will be synch’d across the servers.

ERROR: -16049Failed to retrieve data in login config with tag: ChallengeResponseQuestions

ERROR: -16060Failed to decrypt password history value

ERROR: -16060Failed check password for CN=ATS004.OU=Users.OU=Internal.O=UMB

-160490xFFFFC14F NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND The requested attribute does notexist on the specified object.

-160600xFFFFC144 NMAS_E_CRYPTO_FAILURE If you upgrade your eDirectory server to 9.2from any previous version and the tree has any users with Universal Passwordencrypted with DES tree key, then for such users login or password change mightfail with this error.

NOTE2: In some cases a customer may be on a pure 9.x environment and want to upgrade to a 3DES key. eDirectory 9.x’s sdidiag will only generate AES tree keys. However, there is a manual workaround:

Option 1: Install an eDirectory 8.8 SP8 server into the tree, give it a copy of root and use sdidiag from there to generate the key.

Option 2: Force a server holding root to think there are no tree keys.

a. On every server holding a copy of root perform: ndstrace -c “unload niciext”

b. On one of these servers, move the /var/opt/novell/nici/0/nicisdi.key and /var/opt/novell/nici/0/backup to a safe place.

c. For that same server remove all it’s rights to the W0 object.

d. Have two shells open: one to run ndstrace with the +nici flag and another to reload niciext on that same server: ndstrace -c “load niciext”.

You should see in the shell running ndstrace that no tree key is found and a new 3DES key is created. Give the server RW and all attribute rights to the W0 object and unload, reload niciext once again. Now load niciext on the other servers holding root. At this point the old 56 bit and the new 3DES key will be synch’d across the servers.

ERROR: -16049Failed to retrieve data in login config with tag: ChallengeResponseQuestions

ERROR: -16060Failed to decrypt password history value

ERROR: -16060Failed check password for CN=ATS004.OU=Users.OU=Internal.O=UMB

-160490xFFFFC14F NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND The requested attribute does notexist on the specified object.

-160600xFFFFC144 NMAS_E_CRYPTO_FAILURE If you upgrade your eDirectory server to 9.2from any previous version and the tree has any users with Universal Passwordencrypted with DES tree key, then for such users login or password change mightfail with this error.

NOTE2: In some cases a customer may be on a pure 9.x environment and want to upgrade to a 3DES key. eDirectory 9.x’s sdidiag will only generate AES tree keys. However, there is a manual workaround:

Option 1: Install an eDirectory 8.8 SP8 server into the tree, give it a copy of root and use sdidiag from there to generate the key.

Option 2: Force a server holding root to think there are no tree keys.

a. On every server holding a copy of root perform: ndstrace -c “unload niciext”

b. On one of these servers, move the /var/opt/novell/nici/0/nicisdi.key and /var/opt/novell/nici/0/backup to a safe place.

c. For that same server remove all it’s rights to the W0 object.

d. Have two shells open: one to run ndstrace with the +nici flag and another to reload niciext on that same server: ndstrace -c “load niciext”.

You should see in the shell running ndstrace that no tree key is found and a new 3DES key is created. Give the server RW and all attribute rights to the W0 object and unload, reload niciext once again. Now load niciext on the other servers holding root. At this point the old 56 bit and the new 3DES key will be synch’d across the servers.

ERROR: -16049Failed to retrieve data in login config with tag: ChallengeResponseQuestions

ERROR: -16060Failed to decrypt password history value

ERROR: -16060Failed check password for CN=ATS004.OU=Users.OU=Internal.O=UMB

-160490xFFFFC14F NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND The requested attribute does notexist on the specified object.

-160600xFFFFC144 NMAS_E_CRYPTO_FAILURE If you upgrade your eDirectory server to 9.2from any previous version and the tree has any users with Universal Passwordencrypted with DES tree key, then for such users login or password change mightfail with this error.

NOTE2: In some cases a customer may be on a pure 9.x environment and want to upgrade to a 3DES key. eDirectory 9.x’s sdidiag will only generate AES tree keys. However, there is a manual workaround:

Option 1: Install an eDirectory 8.8 SP8 server into the tree, give it a copy of root and use sdidiag from there to generate the key.

Option 2: Force a server holding root to think there are no tree keys.

a. On every server holding a copy of root perform: ndstrace -c “unload niciext”

b. On one of these servers, move the /var/opt/novell/nici/0/nicisdi.key and /var/opt/novell/nici/0/backup to a safe place.

c. For that same server remove all it’s rights to the W0 object.

d. Have two shells open: one to run ndstrace with the +nici flag and another to reload niciext on that same server: ndstrace -c “load niciext”.

You should see in the shell running ndstrace that no tree key is found and a new 3DES key is created. Give the server RW and all attribute rights to the W0 object and unload, reload niciext once again. Now load niciext on the other servers holding root. At this point the old 56 bit and the new 3DES key will be synch’d across the servers.

ERROR: -16049Failed to retrieve data in login config with tag: ChallengeResponseQuestions

ERROR: -16060Failed to decrypt password history value

ERROR: -16060Failed check password for CN=ATS004.OU=Users.OU=Internal.O=UMB

-160490xFFFFC14F NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND The requested attribute does notexist on the specified object.

-160600xFFFFC144 NMAS_E_CRYPTO_FAILURE If you upgrade your eDirectory server to 9.2from any previous version and the tree has any users with Universal Passwordencrypted with DES tree key, then for such users login or password change mightfail with this error.

NOTE2: In some cases a customer may be on a pure 9.x environment and want to upgrade to a 3DES key. eDirectory 9.x’s sdidiag will only generate AES tree keys. However, there is a manual workaround:

Option 1: Install an eDirectory 8.8 SP8 server into the tree, give it a copy of root and use sdidiag from there to generate the key.

Option 2: Force a server holding root to think there are no tree keys.

a. On every server holding a copy of root perform: ndstrace -c “unload niciext”

b. On one of these servers, move the /var/opt/novell/nici/0/nicisdi.key and /var/opt/novell/nici/0/backup to a safe place.

c. For that same server remove all it’s rights to the W0 object.

d. Have two shells open: one to run ndstrace with the +nici flag and another to reload niciext on that same server: ndstrace -c “load niciext”.

You should see in the shell running ndstrace that no tree key is found and a new 3DES key is created. Give the server RW and all attribute rights to the W0 object and unload, reload niciext once again. Now load niciext on the other servers holding root. At this point the old 56 bit and the new 3DES key will be synch’d across the servers.

ERROR: -16049Failed to retrieve data in login config with tag: ChallengeResponseQuestions

ERROR: -16060Failed to decrypt password history value

ERROR: -16060Failed check password for CN=ATS004.OU=Users.OU=Internal.O=UMB

-160490xFFFFC14F NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND The requested attribute does notexist on the specified object.

-160600xFFFFC144 NMAS_E_CRYPTO_FAILURE If you upgrade your eDirectory server to 9.2from any previous version and the tree has any users with Universal Passwordencrypted with DES tree key, then for such users login or password change mightfail with this error.

NOTE2: In some cases a customer may be on a pure 9.x environment and want to upgrade to a 3DES key. eDirectory 9.x’s sdidiag will only generate AES tree keys. However, there is a manual workaround:

Option 1: Install an eDirectory 8.8 SP8 server into the tree, give it a copy of root and use sdidiag from there to generate the key.

Option 2: Force a server holding root to think there are no tree keys.

a. On every server holding a copy of root perform: ndstrace -c “unload niciext”

b. On one of these servers, move the /var/opt/novell/nici/0/nicisdi.key and /var/opt/novell/nici/0/backup to a safe place.

c. For that same server remove all it’s rights to the W0 object.

d. Have two shells open: one to run ndstrace with the +nici flag and another to reload niciext on that same server: ndstrace -c “load niciext”.

You should see in the shell running ndstrace that no tree key is found and a new 3DES key is created. Give the server RW and all attribute rights to the W0 object and unload, reload niciext once again. Now load niciext on the other servers holding root. At this point the old 56 bit and the new 3DES key will be synch’d across the servers.