[Freeipa-users] User passwords expired

Sat Jul 11 20:42:56 UTC 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Simo Sorce wrote:
> On Sat, 2009-07-11 at 14:41 -0500, David Christensen wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Simo Sorce wrote:
>>> On Fri, 2009-07-10 at 17:16 -0500, David Christensen wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Every user I add is indicated as their password being expired, assuming
>>>> this is normal and this forces users to create their own password when
>>>> they first log in (not sure) I tried logging in as a test user.
>>> See: http://freeipa.org/page/NewPasswordsExpired
>>>
>>>> I was prompted with the expired password update now and attempted to do
>>>> so.  When I tried to change the password I got an error:  kinit(v5)
>>>> password change failed while getting initial credentials.
>>>>
>>>> What is this error telling me?
>>> Is ipa-kpasswd running on your IPA Server ?
>>> Do you see errors in /var/log/krb5kdc.log on the server ?
>>>
>>>> I tried changing the password for the user via the UI but the account is
>>>> still indicated as password expired.
>>> Expected, see the doc above.
>>>
>>> Simo.
>>>
>> Simo,
>>
>> This is a sample of the log file for the test user I have been using:
>>   1 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: CLIENT KEY EXPIRED:
>> davidc at EXAMPLE.CO    M     for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Password
>> has expired
>>   2 103 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH:
>> davidc at EXAMPLE.CO    M for     kadmin/changepw at EXAMPLE.COM, Additional
>> pre-authentication required
>>   3 104 Jul 10 17:34:22 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265262,
>> etype    s {re    p=18 tkt=18 ses=18}, davidc at EXAMPLE.COM for
>> kadmin/changepw at EXAMPLE.COM
>>   4 105 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH:
>> kadmin/changepw at E    XAMPLE    .COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM,
>> Additional pre-authentication required
>>   5 106 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265271,
>> etype    s {re    p=18 tkt=18 ses=18}, kadmin/changepw at EXAMPLE.COM for
>> krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>   6 107 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): TGS_REQ
>> (7 etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime
>> 1247265271, etyp    es {r    ep=18 tkt=18 ses=18},
>> kadmin/changepw at EXAMPLE.COM for ldap/ipa1.example.com at EXAMPLE.COM
>>
>> I verified that ipa_kpasswd is indeed running.
> 
> This sequence seem also to indicate that ipa-kpasswd is actually
> attempting the password change (see kadmin/changepw getting a ticket for
> the ldap server).
> I wonder if this is just a timeout issue as it strangely took 9 seconds
> between kinit getting a ticket and ipa-kpasswd starting to perform a
> password change. So presumably the whole operation took more.
> 
> If you "time" kinit how long does it take to return the error ?
> 
> If you re-run kinit what do you get ?
> Does it accept the old password or does it require the new one to
> succeed ?
> 
> Simo.
> 
It is pretty fast actually, no latency at all.

When I use kinit and it prompts me for a password, I have to use the
password that I set via the UI, anything else and I get an error that
the passord is incorrect.

This is what I get when I use the password set in the UI via the admin
account:

Password for davidc at EXAMPLE.COM:
Password expired.  You must change it now.
Enter new password:
Enter it again:
kinit(v5): Password change failed while getting initial credentials

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkpY+VAACgkQ5B+8XEnAvqunzQCeLO71t+P9pUKNbfWKKIFIWcro
R8kAn3GO9fF3DBnXsweul/o3iL2c26O5
=BJ9R
-----END PGP SIGNATURE-----