Highlighted
Regular Contributor.
Regular Contributor.
382 views

imanager Login Error -255

Recently, Micro Focus remoted in to fix our Tree keys.  They had a 56 bit DES key which caused issues with eDirectory 9.2.  It was a long night and I thank them!!

Afterwards I am not able to log into iManager on one of my servers.  I receive the following error:

(Error-255)Multiple meaning error message for error code -255.

I cannot login (NDS) on the server either.  Same error.

I use the IP address of the server.  If I enter a different servers IP address I can login successfully.

We use UP and everything is configured correctly according to MF.

They took this servers DIB and could not replicate in their environment.  They said it must be an OS issue.  SLES 12 sp3.  (Yes, we are planning to upgrade soon.) 

This server is currently eDir 9.1.1 40102.29 and they have told me I can now upgrade to eDirectory 9.2SP1.

Will I be able to login to perform the upgrade?

Any idea the cause of the -255 error.  It only started after they revoked the 56 DES key and added the 168 bit key.

Thank you!

 

Labels (1)
0 Likes
14 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: imanager Login Error -255

Out of the blue: this would e.g. happen if an old key (which was used for your password) would have been deleted (as opposed to "revoked") on a given box. sdidiag would show you this. Is the instance in question a sdikeyserver? Could you try to create a dummy userobject with a "fresh" password and check the login with it?

 

0 Likes
Highlighted
Regular Contributor.
Regular Contributor.

Re: imanager Login Error -255

I deleted via an LDIF file all users SAS:Login Configuration key after the key was revoked.  Thus they received a new key upon next login.

Yes, I have tried this with a new user.  Same issue.

A real head scratcher for sure.

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: imanager Login Error -255

Deleting "SAS:Login Configuration key" does not affect the UP itself. It affects e.g. simple password and all sorts of challenge / response stuff. With SDI key inconsistencies it makes a huge difference which server a password change is written against. In testing i'd change a password per ldif which gives you better control regarding this.

 

0 Likes
Highlighted
Regular Contributor.
Regular Contributor.

Re: imanager Login Error -255

Micro Focus had me delete the SAS:Login Configuration key via ldif.

I just changed a PW with an ldif file.  Same error.

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: imanager Login Error -255

Well, deleting this attribute does not delete the UP.

You'll find sdidiag and the UP removal tool here:

https://download.novell.com/patch/finder/#bu=novell&bu=netiq&bu=suse&familyId=112&productId=66347&dateRange=&startDate=&endDate=&priority=&architecture=&keywords=&xf=112

Sorry i advance if you've already done so, but the former will give you a comprehensive view about the keys and their state while the latter lets you remove password related attributes in a granular way (or with a tough strike, if you prefer). Does ndslogin give you the same error? Does the server in question hold (writable) replicas of the security container and the container of the user object?

0 Likes
Highlighted
Regular Contributor.
Regular Contributor.

Re: imanager Login Error -255

Micro Focus followed this procedure with rmupwd.

ndslogin gives me the same -255 error.

This server is the Master and has a replica of the user container.

Security container is not partitioned and MF said that is OK.

Told you this was a head scratcher.

I'll be updating this server to eDir 9.2SP1 in a few weeks.  Currently 9.1.1 40102.29.  I'll also be patching the OS.  Just maybe this will fix the -255 error.

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: imanager Login Error -255

Could you check with sdidiag (you'll have to login with full context including treename, e.g. as

.admin.org.tree

Output of "ls", "lk" and "ck" would be sufficient in the first place. You can also run a check with diagpwd for your testuser against all the replicas and check for discrepancies.

 

 

0 Likes
Highlighted
Regular Contributor.
Regular Contributor.

Re: imanager Login Error -255

Will do later this week.  Have some pending issues to work on.

Thank you again!

0 Likes
Highlighted
Regular Contributor.
Regular Contributor.

Re: imanager Login Error -255

I could not get diagpwd to work.

Below is the output of sdidiag.  The same error when I try an nds login to this server.  Research says to upgrade eDirectory on this server.  I plan to upgrade all servers from eDir 9.1 to eDir 9.2SP1 this weekend.  One of the servers is already on eDir 9.2.  Hopefully I will be able to login into the server that gives me the -255 error when installing the eDir upgrade.  If not I have no idea how to upgrade that server.

LK:
Displaying keys on .server1.xxxx.xxxxxxxx.
Server : .server1.xxxx.xxxxxxxx.
display on .server1.xxxx.xxxxxxxx.: [FAILED] rc=-255

LS:
Lists all three servers

CK:
SDI Domain Key Server .server1.xxxx.xxxxxxxx.
- could not be checked. (error = -255)
[Checking SDI Domain: PROBLEMS]

*** THERE ARE PROBLEMS! ***

*** [Key Consistency Check - END] ***
Error -255

 

Thank you!!

 

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: imanager Login Error -255

So it looks like whatever your iManager issue is similarly affecting SDI diag so it cannot login to work.

Can you LDAP bind to the server?  If not, enable ndstrace with +LDAP and login and lets see what the error is, perhaps there is another error that is below/hidden by the surfaced 255 error.

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: imanager Login Error -255

Another option is the throw everything at teh wall, ,hoping something sticks approach.

Like there is a set dstrace=NODEBUG and there is an opposite I forget which is all options enabled, write it to a file, and then test iMan, SDI and LDAP binds, then stop logging to a file, since it iwll be monstrously huge, then look for any error that comes up.  There will be tons of missing attributes (603) that are mostly ignorable, except when they actually matter.  (I.e. edir checks for an attr, 603 not found, no biggy, but sometimes the issue is the missig attr).

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.