Environment
Novell Open Enterprise Server 2 (OES 2) Linux
Situation
While configuring Open Enterprise Server components, AFP fails to pull up password policies, and fails the rest of its configuration, including adding the proxy user to the password policy as a user that has permissions to retrieve passwords, and it fails to correctly setup CASA credentials. DNS, DHCP, CIFS, and other services configure without incident. Every server in the tree exhibits the same behavior.
YaST errors include the following:
ERROR: There are no password policies currently defined in eDirectory. To associate policies to users, please re-configure AFP later using YaST after adding password policies and users to eDirectory. Afp configuration will continue.
ERROR: Unable to set user cn=username,o=mycontext as reader of passwords. Error: 32
ERROR: Could not configure Novell AFP Services due to a configuration script error.
Resolution
The admin user's password for the tree contained non-alphanumeric-characters (such as $ and !) which were NOT being interpreted correctly by YaST. While the same admin user and password was used to configure other services without incident, it failed for the configuration of AFP.
To resolve this issue the latest patches for the system will be required. At the time of this writing (Aug 5, 2009) the patch has not yet been publicly released. Be sure to apply the latest patches for both AFP and YaST.
Workaround:
Change the admin password so that it includes only alphanumeric characters (a-z, A-Z, 0-9)--at least until such time that the appropriate patch is released and applied.
Bug Number
528254
Additional Information
y2log errors include the following:
[YCP] NovellAfp.ycp:352 novellafp.CreatePasswordPolicy:executing:/opt/novell/afptcpd/bin/create_afp_proxypolicy.sh 'AFP Default Policy' 'cn=admin,o=mycontext' **** 192.168.2.2 636
[bash] ShellCommand.cc(shellcommand):78 ldap_bind: Invalid credentials
[bash] ShellCommand.cc(shellcommand):78 additional info: NDS error: failed authentication (-669)
[YCP] NovellAfp.ycp:354 novellafp.CreatePasswordPolicy:Returned: $["exit":0, "stderr":"ldap_bind: Invalid credentials\n\tadditional info: NDS error: failed authentication (-669)\n", "stdout":""]
[YCP] NovellAfp.ycp:167 NovellAfp:admin:cn=admin,o=mycontext
[YCP] NovellAfp.ycp:437 novellafp.SetUserAsReader:executing:/opt/novell/afptcpd/bin/allow_userread_pwpolicies.sh 'cn=admin,o=mycontext' '****' 'cn=MyProxyUser,o=mycontext' 192.168.2.2 636 'cn=AFP Default Policy,cn=Password Policies,cn=Security'
[bash] ShellCommand.cc(shellcommand):78 ldap_modify: No such object
[bash] ShellCommand.cc(shellcommand):78 matched DN: "cn=Password Policies,cn=Security"
[bash] ShellCommand.cc(shellcommand):78 additional info: NDS error: no such entry (-601)
[bash] ShellCommand.cc(shellcommand):78 ldif_record() = 32
[YCP] NovellAfp.ycp:439 novellafp.SetUserAsReader:Returned: $["exit":32, "stderr":"ldap_modify: No such object\n\tmatched DN: \"cn=Password Policies,cn=Security\"\n\tadditional info: NDS error: no such entry (-601)
nldif_record() = 32\n", "stdout":"cn=AFP Default Policy,cn=Password Policies,cn=Security\n\nmodifying entry \"cn=AFP Default Policy,cn=Password Policies,cn=Security\"\n\n"]
[YCP] NovellAfp.ycp:708 Warning: Could not configure Novell AFP Services due to a configuration script error.
[YCP] Report.ycp:484 Could not configure Novell AFP Services due to a configuration script error.
[YCP] NovellAfp.ycp:352 novellafp.CreatePasswordPolicy:executing:/opt/novell/afptcpd/bin/create_afp_proxypolicy.sh 'AFP Default Policy' 'cn=admin,o=mycontext' **** 192.168.2.2 636
[bash] ShellCommand.cc(shellcommand):78 ldap_bind: Invalid credentials
[bash] ShellCommand.cc(shellcommand):78 additional info: NDS error: failed authentication (-669)
[YCP] NovellAfp.ycp:354 novellafp.CreatePasswordPolicy:Returned: $["exit":0, "stderr":"ldap_bind: Invalid credentials\n\tadditional info: NDS error: failed authentication (-669)\n", "stdout":""]
[YCP] NovellAfp.ycp:167 NovellAfp:admin:cn=admin,o=mycontext
[YCP] NovellAfp.ycp:437 novellafp.SetUserAsReader:executing:/opt/novell/afptcpd/bin/allow_userread_pwpolicies.sh 'cn=admin,o=mycontext' '****' 'cn=MyProxyUser,o=mycontext' 192.168.2.2 636 'cn=AFP Default Policy,cn=Password Policies,cn=Security'
[bash] ShellCommand.cc(shellcommand):78 ldap_modify: No such object
[bash] ShellCommand.cc(shellcommand):78 matched DN: "cn=Password Policies,cn=Security"
[bash] ShellCommand.cc(shellcommand):78 additional info: NDS error: no such entry (-601)
[bash] ShellCommand.cc(shellcommand):78 ldif_record() = 32
[YCP] NovellAfp.ycp:439 novellafp.SetUserAsReader:Returned: $["exit":32, "stderr":"ldap_modify: No such object\n\tmatched DN: \"cn=Password Policies,cn=Security\"\n\tadditional info: NDS error: no such entry (-601)
nldif_record() = 32\n", "stdout":"cn=AFP Default Policy,cn=Password Policies,cn=Security\n\nmodifying entry \"cn=AFP Default Policy,cn=Password Policies,cn=Security\"\n\n"]
[YCP] NovellAfp.ycp:708 Warning: Could not configure Novell AFP Services due to a configuration script error.
[YCP] Report.ycp:484 Could not configure Novell AFP Services due to a configuration script error.
/var/log/afptcpd/afptcp.log contains the following:
afptcpd[5733]: Configuration File: Number of minimum of threads set to 3
afptcpd[5733]: Configuration file: Maximum number of threads set to 32
afptcpd[5733]: Configuration file has max reconnect period set to 1440 minutes
afptcpd[5733]: Configuration has ALL AFP versions support (2.2, 3.0, 3.1) set.
afptcpd[5733]: Configuration file has sharing-from-mac set to 'all'.
afptcpd[5733]: Configuration file has cross protocol locks enabled.
afptcpd[5733]: Configuration file has AUDIT enabled.
afptcpd[5750]: Filling up serverip 192.168.2.2
afptcpd[5750]: Failed to read proxy user credentials. Ensure CASA is running and AFP casa entry is updated. Error: -802
afptcpd[5750]: Unable to authenticate with AFP proxy user 1 <1>