matt4 Trusted Contributor.
Trusted Contributor.
1075 views

NMAS -16050 When Setting Password

I got a real odd one here. Started getting reports that admins trying to set user passwords in iManager were getting -632 errors and the passwords would not set.
So I took a look and watched NMAS trace and I see this:

ERROR: -16050 GetXKeyFromValues: DAL_getValueData (key)
ERROR: -16050 Failed set password for CN=XXXXXXX

It's not clear to me what that error means. So I used rmupwd and removed the user's universal password, which said it was successful.
But I still get the same error when I try and set the user's password.

So I created a new password policy, just a basic one, and assigned the user to it. Same problem.

No matter what I do, I cannot set passwords for several users. They all get this same error.

The tree is all eDir 9.1.1 (1 SLES and 3 RedHat servers).

I thought maybe there was an odd NMAS issue going on so I removed all the old/obsolete login sequences and methods (this tree has been around a long long time).

I also checked the SDI Tree key with sdidiag and it looks fine, all 4 servers are key server and all 4 have all the keys.

I also ran local DB repairs on each server, nothing but a few object timestamp errors.


I'm stumped.

Any ideas?

Matt
Labels (1)
0 Likes
7 Replies
matt4 Trusted Contributor.
Trusted Contributor.

Re: NMAS -16050 When Setting Password

matt;2486068 wrote:
I got a real odd one here. Started getting reports that admins trying to set user passwords in iManager were getting -632 errors and the passwords would not set.
So I took a look and watched NMAS trace and I see this:

ERROR: -16050 GetXKeyFromValues: DAL_getValueData (key)
ERROR: -16050 Failed set password for CN=XXXXXXX

It's not clear to me what that error means. So I used rmupwd and removed the user's universal password, which said it was successful.
But I still get the same error when I try and set the user's password.

So I created a new password policy, just a basic one, and assigned the user to it. Same problem.

No matter what I do, I cannot set passwords for several users. They all get this same error.

The tree is all eDir 9.1.1 (1 SLES and 3 RedHat servers).

I thought maybe there was an odd NMAS issue going on so I removed all the old/obsolete login sequences and methods (this tree has been around a long long time).

I also checked the SDI Tree key with sdidiag and it looks fine, all 4 servers are key server and all 4 have all the keys.

I also ran local DB repairs on each server, nothing but a few object timestamp errors.


I'm stumped.

Any ideas?

Matt



I'm not sure why this keeps happening, but I figured out how to fix it on a user by user basis. I was using the -pwd switch for rmupwd. I tried the -all switch and it removed the password.


Anyone know what exactly a 16050 NMAS error is? Or how I can globally fix this?

Matt
0 Likes
Knowledge Partner
Knowledge Partner

Re: NMAS -16050 When Setting Password

On 8/20/2018 2:44 PM, matt wrote:
>
> I got a real odd one here. Started getting reports that admins trying
> to set user passwords in iManager were getting -632 errors and the
> passwords would not set.
> So I took a look and watched NMAS trace and I see this:
>
> ERROR: -16050 GetXKeyFromValues: DAL_getValueData (key)
> ERROR: -16050 Failed set password for CN=XXXXXXX


Hard to find the 16050 in the docs:
https://www.novell.com/documentation/developer/nmas/nmas_enu/data/nmas_enu.html


-16050
0xFFFFC14E
NMAS_E_NO_MORE_ENTRY_ATTRIBUTES
All of the attributes values have been returned to the calling routine.

> It's not clear to me what that error means. So I used rmupwd and removed
> the user's universal password, which said it was successful.
> But I still get the same error when I try and set the user's password.



I would try Jim Willeke's dump UP (or Alekz' console2 (sneakycat.biz to
download) which implements it as well) and see what the user looks like
in that view.

DumpUP:
https://ldapwiki.com/Wiki.jsp?page=DumpEdirectoryPasswordInformationTool


> So I created a new password policy, just a basic one, and assigned the
> user to it. Same problem.
>
> No matter what I do, I cannot set passwords for several users. They all
> get this same error.
>
> The tree is all eDir 9.1.1 (1 SLES and 3 RedHat servers).
>
> I thought maybe there was an odd NMAS issue going on so I removed all
> the old/obsolete login sequences and methods (this tree has been around
> a long long time).
>
> I also checked the SDI Tree key with sdidiag and it looks fine, all 4
> servers are key server and all 4 have all the keys.
>
> I also ran local DB repairs on each server, nothing but a few object
> timestamp errors.
>
>
> I'm stumped.
>
> Any ideas?
>
> Matt
>
>


0 Likes
matt4 Trusted Contributor.
Trusted Contributor.

Re: NMAS -16050 When Setting Password

geoffc;2486073 wrote:
On 8/20/2018 2:44 PM, matt wrote:
>
> I got a real odd one here. Started getting reports that admins trying
> to set user passwords in iManager were getting -632 errors and the
> passwords would not set.
> So I took a look and watched NMAS trace and I see this:
>
> ERROR: -16050 GetXKeyFromValues: DAL_getValueData (key)
> ERROR: -16050 Failed set password for CN=XXXXXXX


Hard to find the 16050 in the docs:
https://www.novell.com/documentation/developer/nmas/nmas_enu/data/nmas_enu.html


-16050
0xFFFFC14E
NMAS_E_NO_MORE_ENTRY_ATTRIBUTES
All of the attributes values have been returned to the calling routine.

> It's not clear to me what that error means. So I used rmupwd and removed
> the user's universal password, which said it was successful.
> But I still get the same error when I try and set the user's password.



I would try Jim Willeke's dump UP (or Alekz' console2 (sneakycat.biz to
download) which implements it as well) and see what the user looks like
in that view.

DumpUP:
https://ldapwiki.com/Wiki.jsp?page=DumpEdirectoryPasswordInformationTool


> So I created a new password policy, just a basic one, and assigned the
> user to it. Same problem.
>
> No matter what I do, I cannot set passwords for several users. They all
> get this same error.
>
> The tree is all eDir 9.1.1 (1 SLES and 3 RedHat servers).
>
> I thought maybe there was an odd NMAS issue going on so I removed all
> the old/obsolete login sequences and methods (this tree has been around
> a long long time).
>
> I also checked the SDI Tree key with sdidiag and it looks fine, all 4
> servers are key server and all 4 have all the keys.
>
> I also ran local DB repairs on each server, nothing but a few object
> timestamp errors.
>
>
> I'm stumped.
>
> Any ideas?
>
> Matt
>
>



I tried DumpUP, but it just ends up in an endless loop for me:

No Error
DumpSvc is still working

I just get that over and over forever. Does it work with eDir 9.1.1?
0 Likes
Knowledge Partner
Knowledge Partner

Re: NMAS -16050 When Setting Password

>
> I'm stumped.
>
> Any ideas?


Actually, yes. I have found that I can inadvertently corrupt the
sasLOginConfigurationKey attributes on a user. There are 4 sasLogin*
attributes, and I find on problem users, deleting them can help it work.

Note: this throws away Secret Store, NMAS Challenge/Response, Simple
Password and anything else NMAS encrypts, but NOT the Universal nor
distribution password.

(I know that the 600K Java based lDAP app I like, LBE will ruin the
sasLogin* attributes if you write to a user who has them populated.

0 Likes
matt4 Trusted Contributor.
Trusted Contributor.

Re: NMAS -16050 When Setting Password

geoffc;2486074 wrote:
>
> I'm stumped.
>
> Any ideas?


Actually, yes. I have found that I can inadvertently corrupt the
sasLOginConfigurationKey attributes on a user. There are 4 sasLogin*
attributes, and I find on problem users, deleting them can help it work.

Note: this throws away Secret Store, NMAS Challenge/Response, Simple
Password and anything else NMAS encrypts, but NOT the Universal nor
distribution password.

(I know that the 600K Java based lDAP app I like, LBE will ruin the
sasLogin* attributes if you write to a user who has them populated.


Ok, I fixed all the broken users with rmupwd so far. On the next one I'll try just wiping out the sasLogin attrs and see what happens.

Matt
0 Likes
matt4 Trusted Contributor.
Trusted Contributor.

Re: NMAS -16050 When Setting Password

geoffc;2486074 wrote:
>
> I'm stumped.
>
> Any ideas?


Actually, yes. I have found that I can inadvertently corrupt the
sasLOginConfigurationKey attributes on a user. There are 4 sasLogin*
attributes, and I find on problem users, deleting them can help it work.

Note: this throws away Secret Store, NMAS Challenge/Response, Simple
Password and anything else NMAS encrypts, but NOT the Universal nor
distribution password.

(I know that the 600K Java based lDAP app I like, LBE will ruin the
sasLogin* attributes if you write to a user who has them populated.


Deleting just the sas:Login Configuration Key did the trick!

Matt
0 Likes
Knowledge Partner
Knowledge Partner

Re: NMAS -16050 When Setting Password

On 8/20/2018 6:54 PM, matt wrote:
>
> geoffc;2486074 Wrote:
>>>
>>> I'm stumped.
>>>
>>> Any ideas?

>>
>> Actually, yes. I have found that I can inadvertently corrupt the
>> sasLOginConfigurationKey attributes on a user. There are 4 sasLogin*
>> attributes, and I find on problem users, deleting them can help it
>> work.
>>
>> Note: this throws away Secret Store, NMAS Challenge/Response, Simple
>> Password and anything else NMAS encrypts, but NOT the Universal nor
>> distribution password.
>>
>> (I know that the 600K Java based lDAP app I like, LBE will ruin the
>> sasLogin* attributes if you write to a user who has them populated.

>
> Deleting just the sas:Login Configuration Key did the trick!


You might see a 618 error in User App when you try to change the
password in these error states as well.

I expect the -all clears those attributes for you.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.