<div dir="ltr"><div>>>>Does it work for the same user from the client if you reset
password on the server, authenticate from the client and then force
reset again on the server?<br>
When I force reset a user, he stil faces the same error "token manipulation" when tries to login to a client. However, when he tries getting into the server, he now gets prompted for the password change and is successfully able to get through.<br><br>So, at this point we have a workaround though something seems not right at the clients.<br>
>>>Can you add a new client and see whether it works there?<br><br>
>>Have you tried re-installing the client?<span class="im"><br></span></div><span class="im">Yes, I did try reinstalling but that did not help<br>
</span><div><br><br>>>>Sorry, I meant the full krb5_child.log ...<br><br>This is how I get the logs in krb5_child.<br><br>when a user tries to authenticate with the random password that I generated,<br><br>WARNING: Your password has expired.<br>You must change your password now and login again!<br>Changing password for user hq-testuser.<br>Current Password:<br>New password:<br>Retype new password:<br>passwd: Authentication token manipulation erro<br><br>And on the krb5_child.log, these are the entries<br><br>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: [/etc/krb5.keytab]<br>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.<br>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.<br>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]<br>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/<a href="mailto:qa-dummy-int.test.com@TEST.COM">qa-dummy-int.test.com@TEST.COM</a>]<br>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [match_principal] (0x1000): Principal matched to the sample (host/<a href="mailto:qa-dummy-int.test.com@TEST.COM">qa-dummy-int.test.com@TEST.COM</a>).<br>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.<br>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [main] (0x0400): Will perform password change<br>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [changepw_child] (0x1000): Password change operation<br>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [changepw_child] (0x0400): Attempting kinit for realm [<a href="http://TEST.COM">TEST.COM</a>]<br><br><br>This does not go beyond this. however, when i attempt another login , the logs start moving from this point( the time stamp start from 6:54 AM)<br><br>WARNING: Your password has expired.<br>You must change your password now and login again!<br>Changing password for user hq-testuser.<br>Current Password:<br>New password:<br>Retype new password:<br>passwd: Authentication token manipulation erro<br><br>now the krb5_child.log adds following lines<br><br>(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400): krb5_child started.<br>(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer] (0x1000): total buffer size: [134]TEST<br>(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer] (0x0100): cmd [241] uid [710600001] gid [710600001] validate [true] enterprise principal [false] offline [false] UPN [<a href="mailto:hq-testuser@TEST.COM">hq-testuser@TEST.COM</a>]<br>(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: [/etc/krb5.keytab]<br>(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.<br>(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.<br>(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]<br>(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/<a href="mailto:qa-dummy-int.test.com@TEST.COM">qa-dummy-int.test.com@TEST.COM</a>]<br>(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [match_principal] (0x1000): Principal matched to the sample (host/<a href="mailto:qa-dummy-int.test.com@TEST.COM">qa-dummy-int.test.com@TEST.COM</a>).<br>(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.<br>(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400): Will perform online auth<br>(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [tgt_req_child] (0x1000): Attempting to get a TGT<br>(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [<a href="http://TEST.COM">TEST.COM</a>]<br>(Tue Jan 13 06:54:53 2015) [[sssd[krb5_child[23514]]]] [get_and_save_tgt] (0x0020): 981: [-1765328361][Password has expired]<br>(Tue Jan 13 06:54:53 2015) [[sssd[krb5_child[23514]]]] [tgt_req_child] (0x1000): Password was expired<br>(Tue Jan 13 06:54:56 2015) [[sssd[krb5_child[23514]]]] [k5c_send_data] (0x0200): Received error code 1432158213<br>(Tue Jan 13 06:54:56 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400): krb5_child completed successfully<br>(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400): krb5_child started.<br>(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer] (0x1000): total buffer size: [134]<br>(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer] (0x0100): cmd [247] uid [710600001] gid [710600001] validate [true] enterprise principal [false] offline [false] UPN [<a href="mailto:hq-testuser@TEST.COM">hq-testuser@TEST.COM</a>]<br>(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: [/etc/krb5.keytab]<br>(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.<br>(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.<br>(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]<br>(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/<a href="mailto:qa-dummy-int.test.com@TEST.COM">qa-dummy-int.test.com@TEST.COM</a>]<br>(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [match_principal] (0x1000): Principal matched to the sample (host/<a href="mailto:qa-dummy-int.test.com@TEST.COM">qa-dummy-int.test.com@TEST.COM</a>).<br>(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.<br>(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400): Will perform password change checks<br>(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [changepw_child] (0x1000): Password change operation<br>(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [changepw_child] (0x0400): Attempting kinit for realm [<a href="http://TEST.COM">TEST.COM</a>]<br>(Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [changepw_child] (0x1000): Initial authentication for change password operation successful.<br>(Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [k5c_send_data] (0x0200): Received error code 0<br>(Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400): krb5_child completed successfully<br>(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [main] (0x0400): krb5_child started.<br>(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer] (0x1000): total buffer size: [153]<br>(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer] (0x0100): cmd [246] uid [710600001] gid [710600001] validate [true] enterprise principal [false] offline [false] UPN [<a href="mailto:hq-testuser@TEST.COM">hq-testuser@TEST.COM</a>]<br>(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: [/etc/krb5.keytab]<br>(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.<br>(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.<br>(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]<br>(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/<a href="mailto:qa-dummy-int.test.com@TEST.COM">qa-dummy-int.test.com@TEST.COM</a>]<br>(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [match_principal] (0x1000): Principal matched to the sample (host/<a href="mailto:qa-dummy-int.test.com@TEST.COM">qa-dummy-int.test.com@TEST.COM</a>).<br>(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.<br>(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [main] (0x0400): Will perform password change<br>(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [changepw_child] (0x1000): Password change operation<br>(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [changepw_child] (0x0400): Attempting kinit for realm [<a href="http://TEST.COM">TEST.COM</a>]<br><br></div><div>and again the last line is attempting kinit for realm<br><br></div><div>Thanks,<br></div><div>Rakesh<br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 13, 2015 at 1:05 AM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class="">
<div>On 01/12/2015 12:55 PM, Rakesh
Rajasekharan wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>This is the full log,<br>
<br>
Jan 12 17:45:15 10-5-68-5 sshd[29753]: pam_sss(sshd:account):
User info message: Password expired. Change your password now.<br>
Jan 12 17:45:15 10-5-68-5 sshd[29753]: Accepted password for
hq-testuser from 10.5.68.184 port 54048 ssh2<br>
Jan 12 17:45:16 10-5-68-5 sshd[29753]: pam_unix(sshd:session):
session opened for user hq-testuser by (uid=0)<br>
Jan 12 17:45:16 10-5-68-5 passwd: pam_unix(passwd:chauthtok):
user "hq-testuser" does not exist in /etc/passwd<br>
Jan 12 17:45:35 10-5-68-5 passwd: pam_unix(passwd:chauthtok):
user "hq-testuser" does not exist in /etc/passwd<br>
Jan 12 17:45:41 10-5-68-5 passwd: pam_sss(passwd:chauthtok):
Password change failed for user hq-testuser: 22
(Authentication token lock busy)<br>
Jan 12 17:45:43 10-5-68-5 sshd[30329]: Received disconnect
from <a href="http://10.5.68.184" target="_blank">10.5.68.184</a>:
11: disconnected by user<br>
Jan 12 17:45:43 10-5-68-5 sshd[29753]: pam_unix(sshd:session):
session closed for user hq-testuser<br>
<br>
<br>
>> Does it happen for all users or only users that you
migrated?<br>
</div>
<div>Yes it happens for all, I created a new user ( hq-testuser)
is a fresh one that I created.<br>
<br>
</div>
<div>I found a workaround for this , users are able to
successfully change the password by connecting to the IPA
master server.<br>
</div>
<div>So, its only the ipa clients that have the issue.<br>
</div>
</div>
</blockquote>
<br></span>
Does it work for the same user from the client if you reset
password on the server, authenticate from the client and then force
reset again on the server?<br>
<br>
Can you add a new client and see whether it works there?<br>
Have you tried re-installing the client?<span class=""><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
<br>
</div>
<div>Thanks,<br>
</div>
<div>Rakesh<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Jan 12, 2015 at 10:57 PM, Jakub
Hrozek <span dir="ltr"><<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On Mon, Jan 12, 2015 at 04:01:32PM +0530, Rakesh
Rajasekharan wrote:<br>
> under /var/log/secure.. have this error<br>
> passwd: pam_sss(passwd:chauthtok): Password change
failed for user<br>
> hq-testuser: 22 (Authentication token lock busy)<br>
<br>
</span>It looks like the log was trucated, can you post more
context?<br>
<br>
Authentication token lock busy usually means the kadmin
servers were<br>
offline..<br>
<div>
<div><br>
--<br>
Manage your subscription for the Freeipa-users mailing
list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</span><span class=""><pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</span></div>
<br>--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div>