[Freeipa-devel] setting passwords stopped working

Nathan Kinder nkinder at redhat.com
Mon Jun 23 17:24:57 UTC 2008 

Matt Bernstein wrote:
> Hi, not sure where better to send this so here goes..
>
> I installed Fedora 9 FreeIPA (1.0) a couple of weeks ago, and yum has 
> since upgraded it to 1.1. Things seem to be pretty good, except 
> changing (or setting new) passwords has stopped working. I don't know 
> if the upgrade was the cause of the error, but I thought I'd better 
> mention it.
>
> User's interaction:
>
> $ kinit -V tim
> Password for tim at TEST.EECS.QMUL.AC.UK:
> Password expired.  You must change it now.
> Enter new password:
> Enter it again:
> kinit(v5): Password change failed while getting initial credentials
>
>> From krb5kdc.log:
>
> Jun 23 17:06:43 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 
> 23 1 3 2}) 138.37.95.132: CLIENT KEY EXPIRED: tim at TEST.EECS.QMUL.AC.UK 
> for krbtgt/TEST.EECS.QMUL.AC.UK at TEST.EECS.QMUL.AC.UK, Password has 
> expired
> Jun 23 17:06:43 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 
> 23 1 3 2}) 138.37.95.132: NEEDED_PREAUTH: tim at TEST.EECS.QMUL.AC.UK for 
> kadmin/changepw at TEST.EECS.QMUL.AC.UK, Additional pre-authentication 
> required
> Jun 23 17:06:45 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 
> 23 1 3 2}) 138.37.95.132: ISSUE: authtime 1214237205, etypes {rep=18 
> tkt=18 ses=18}, tim at TEST.EECS.QMUL.AC.UK for 
> kadmin/changepw at TEST.EECS.QMUL.AC.UK
> Jun 23 17:06:46 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 
> 23 1 3 2}) 138.37.95.132: NEEDED_PREAUTH: 
> kadmin/changepw at TEST.EECS.QMUL.AC.UK for 
> krbtgt/TEST.EECS.QMUL.AC.UK at TEST.EECS.QMUL.AC.UK, Additional 
> pre-authentication required
> Jun 23 17:06:46 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 
> 23 1 3 2}) 138.37.95.132: ISSUE: authtime 1214237206, etypes {rep=18 
> tkt=18 ses=18}, kadmin/changepw at TEST.EECS.QMUL.AC.UK for 
> krbtgt/TEST.EECS.QMUL.AC.UK at TEST.EECS.QMUL.AC.UK
> Jun 23 17:06:46 eagle krb5kdc[1357](info): TGS_REQ (7 etypes {18 17 16 
> 23 1 3 2}) 138.37.95.132: ISSUE: authtime 1214237206, etypes {rep=18 
> tkt=18 ses=18}, kadmin/changepw at TEST.EECS.QMUL.AC.UK for 
> ldap/eagle.test.eecs.qmul.ac.uk at TEST.EECS.QMUL.AC.UK
>
>> From syslog:
>
> Jun 23 17:06:46 eagle kpasswd[1852]: ldap_parse_result(): [Password 
> generation not implemented.#012]
> Jun 23 17:06:46 eagle kpasswd[1852]: Password change failed
>
> So.. is any of this helpful? It seems from syslog that the 
> ipa_pwd_extop slapi plugin isn't receiving the new password, but I've 
> no idea why.
>
> Can anyone help? It's not SELinux or resource starvation, AFAICT.
Is there anything interesting related to the ipa_passwd_extop  plug-in 
in the Directory Server errors log (/var/log/dirsrv/slapd-<realm>/errors)?

-NGK
>
> Matt
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3254 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080623/1320d06c/attachment.bin>

More information about the Freeipa-devel mailing list