<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 01/12/2015 12:55 PM, Rakesh
Rajasekharan wrote:<br>
</div>
<blockquote
cite="mid:CANAMAkqoQDE5YfL7J=yPktNJEBxJZE8g39bh4_e0ToT+Z=dP0A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>This is the full log,<br>
<br>
Jan 12 17:45:15 10-5-68-5 sshd[29753]: pam_sss(sshd:account):
User info message: Password expired. Change your password now.<br>
Jan 12 17:45:15 10-5-68-5 sshd[29753]: Accepted password for
hq-testuser from 10.5.68.184 port 54048 ssh2<br>
Jan 12 17:45:16 10-5-68-5 sshd[29753]: pam_unix(sshd:session):
session opened for user hq-testuser by (uid=0)<br>
Jan 12 17:45:16 10-5-68-5 passwd: pam_unix(passwd:chauthtok):
user "hq-testuser" does not exist in /etc/passwd<br>
Jan 12 17:45:35 10-5-68-5 passwd: pam_unix(passwd:chauthtok):
user "hq-testuser" does not exist in /etc/passwd<br>
Jan 12 17:45:41 10-5-68-5 passwd: pam_sss(passwd:chauthtok):
Password change failed for user hq-testuser: 22
(Authentication token lock busy)<br>
Jan 12 17:45:43 10-5-68-5 sshd[30329]: Received disconnect
from <a moz-do-not-send="true" href="http://10.5.68.184">10.5.68.184</a>:
11: disconnected by user<br>
Jan 12 17:45:43 10-5-68-5 sshd[29753]: pam_unix(sshd:session):
session closed for user hq-testuser<br>
<br>
<br>
>> Does it happen for all users or only users that you
migrated?<br>
</div>
<div>Yes it happens for all, I created a new user ( hq-testuser)
is a fresh one that I created.<br>
<br>
</div>
<div>I found a workaround for this , users are able to
successfully change the password by connecting to the IPA
master server.<br>
</div>
<div>So, its only the ipa clients that have the issue.<br>
</div>
</div>
</blockquote>
<br>
Does it work for the same user from the client if you reset
password on the server, authenticate from the client and then force
reset again on the server?<br>
<br>
Can you add a new client and see whether it works there?<br>
Have you tried re-installing the client?<br>
<br>
<blockquote
cite="mid:CANAMAkqoQDE5YfL7J=yPktNJEBxJZE8g39bh4_e0ToT+Z=dP0A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
<br>
</div>
<div>Thanks,<br>
</div>
<div>Rakesh<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Jan 12, 2015 at 10:57 PM, Jakub
Hrozek <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">On Mon, Jan 12, 2015 at 04:01:32PM +0530, Rakesh
Rajasekharan wrote:<br>
> under /var/log/secure.. have this error<br>
> passwd: pam_sss(passwd:chauthtok): Password change
failed for user<br>
> hq-testuser: 22 (Authentication token lock busy)<br>
<br>
</span>It looks like the log was trucated, can you post more
context?<br>
<br>
Authentication token lock busy usually means the kadmin
servers were<br>
offline..<br>
<div class="HOEnZb">
<div class="h5"><br>
--<br>
Manage your subscription for the Freeipa-users mailing
list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a moz-do-not-send="true"
href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>