[Freeipa-users] User passwords expired

[David Christensen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Simo Sorce wrote:
> On Fri, 2009-07-10 at 17:16 -0500, David Christensen wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Every user I add is indicated as their password being expired, assuming
>> this is normal and this forces users to create their own password when
>> they first log in (not sure) I tried logging in as a test user.
> 
> See: http://freeipa.org/page/NewPasswordsExpired
> 
>> I was prompted with the expired password update now and attempted to do
>> so.  When I tried to change the password I got an error:  kinit(v5)
>> password change failed while getting initial credentials.
>>
>> What is this error telling me?
> 
> Is ipa-kpasswd running on your IPA Server ?
> Do you see errors in /var/log/krb5kdc.log on the server ?
> 
>> I tried changing the password for the user via the UI but the account is
>> still indicated as password expired.
> 
> Expected, see the doc above.
> 
> Simo.
> 
Simo,

This is a sample of the log file for the test user I have been using:
  1 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.155.21: CLIENT KEY EXPIRED:
davidc at EXAMPLE.CO    M     for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Password
has expired
  2 103 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH:
davidc at EXAMPLE.CO    M for     kadmin/changepw at EXAMPLE.COM, Additional
pre-authentication required
  3 104 Jul 10 17:34:22 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265262,
etype    s {re    p=18 tkt=18 ses=18}, davidc at EXAMPLE.COM for
kadmin/changepw at EXAMPLE.COM
  4 105 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH:
kadmin/changepw at E    XAMPLE    .COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM,
Additional pre-authentication required
  5 106 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265271,
etype    s {re    p=18 tkt=18 ses=18}, kadmin/changepw at EXAMPLE.COM for
krbtgt/EXAMPLE.COM at EXAMPLE.COM
  6 107 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): TGS_REQ
(7 etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime
1247265271, etyp    es {r    ep=18 tkt=18 ses=18},
kadmin/changepw at EXAMPLE.COM for ldap/ipa1.example.com at EXAMPLE.COM

I verified that ipa_kpasswd is indeed running.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkpY6uMACgkQ5B+8XEnAvquLpQCfQfzhSBbfprtFeqVSonnc3KgV
w/UAnjzwPR/zl0t8795un+z0AlHSsABk
=+7A2
-----END PGP SIGNATURE-----