[Freeipa-devel] setting passwords stopped working
Nathan Kinder
nkinder at redhat.com
Mon Jun 23 17:24:57 UTC 2008
Matt Bernstein wrote:
> Hi, not sure where better to send this so here goes..
>
> I installed Fedora 9 FreeIPA (1.0) a couple of weeks ago, and yum has
> since upgraded it to 1.1. Things seem to be pretty good, except
> changing (or setting new) passwords has stopped working. I don't know
> if the upgrade was the cause of the error, but I thought I'd better
> mention it.
>
> User's interaction:
>
> $ kinit -V tim
> Password for tim at TEST.EECS.QMUL.AC.UK:
> Password expired. You must change it now.
> Enter new password:
> Enter it again:
> kinit(v5): Password change failed while getting initial credentials
>
>> From krb5kdc.log:
>
> Jun 23 17:06:43 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16
> 23 1 3 2}) 138.37.95.132: CLIENT KEY EXPIRED: tim at TEST.EECS.QMUL.AC.UK
> for krbtgt/TEST.EECS.QMUL.AC.UK at TEST.EECS.QMUL.AC.UK, Password has
> expired
> Jun 23 17:06:43 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16
> 23 1 3 2}) 138.37.95.132: NEEDED_PREAUTH: tim at TEST.EECS.QMUL.AC.UK for
> kadmin/changepw at TEST.EECS.QMUL.AC.UK, Additional pre-authentication
> required
> Jun 23 17:06:45 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16
> 23 1 3 2}) 138.37.95.132: ISSUE: authtime 1214237205, etypes {rep=18
> tkt=18 ses=18}, tim at TEST.EECS.QMUL.AC.UK for
> kadmin/changepw at TEST.EECS.QMUL.AC.UK
> Jun 23 17:06:46 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16
> 23 1 3 2}) 138.37.95.132: NEEDED_PREAUTH:
> kadmin/changepw at TEST.EECS.QMUL.AC.UK for
> krbtgt/TEST.EECS.QMUL.AC.UK at TEST.EECS.QMUL.AC.UK, Additional
> pre-authentication required
> Jun 23 17:06:46 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16
> 23 1 3 2}) 138.37.95.132: ISSUE: authtime 1214237206, etypes {rep=18
> tkt=18 ses=18}, kadmin/changepw at TEST.EECS.QMUL.AC.UK for
> krbtgt/TEST.EECS.QMUL.AC.UK at TEST.EECS.QMUL.AC.UK
> Jun 23 17:06:46 eagle krb5kdc[1357](info): TGS_REQ (7 etypes {18 17 16
> 23 1 3 2}) 138.37.95.132: ISSUE: authtime 1214237206, etypes {rep=18
> tkt=18 ses=18}, kadmin/changepw at TEST.EECS.QMUL.AC.UK for
> ldap/eagle.test.eecs.qmul.ac.uk at TEST.EECS.QMUL.AC.UK
>
>> From syslog:
>
> Jun 23 17:06:46 eagle kpasswd[1852]: ldap_parse_result(): [Password
> generation not implemented.#012]
> Jun 23 17:06:46 eagle kpasswd[1852]: Password change failed
>
> So.. is any of this helpful? It seems from syslog that the
> ipa_pwd_extop slapi plugin isn't receiving the new password, but I've
> no idea why.
>
> Can anyone help? It's not SELinux or resource starvation, AFAICT.
Is there anything interesting related to the ipa_passwd_extop plug-in
in the Directory Server errors log (/var/log/dirsrv/slapd-<realm>/errors)?
-NGK
>
> Matt
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3254 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080623/1320d06c/attachment.bin>
More information about the Freeipa-devel
mailing list