[Freeipa-users] User passwords expired
David Christensen
David.Christensen at viveli.com
Mon Jul 13 15:07:38 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Christensen wrote:
> Simo Sorce wrote:
>> On Sat, 2009-07-11 at 14:41 -0500, David Christensen wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Simo Sorce wrote:
>>>> On Fri, 2009-07-10 at 17:16 -0500, David Christensen wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> Every user I add is indicated as their password being expired, assuming
>>>>> this is normal and this forces users to create their own password when
>>>>> they first log in (not sure) I tried logging in as a test user.
>>>> See: http://freeipa.org/page/NewPasswordsExpired
>>>>
>>>>> I was prompted with the expired password update now and attempted to do
>>>>> so. When I tried to change the password I got an error: kinit(v5)
>>>>> password change failed while getting initial credentials.
>>>>>
>>>>> What is this error telling me?
>>>> Is ipa-kpasswd running on your IPA Server ?
>>>> Do you see errors in /var/log/krb5kdc.log on the server ?
>>>>
>>>>> I tried changing the password for the user via the UI but the account is
>>>>> still indicated as password expired.
>>>> Expected, see the doc above.
>>>>
>>>> Simo.
>>>>
>>> Simo,
>>>
>>> This is a sample of the log file for the test user I have been using:
>>> 1 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
>>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: CLIENT KEY EXPIRED:
>>> davidc at EXAMPLE.CO M for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Password
>>> has expired
>>> 2 103 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
>>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH:
>>> davidc at EXAMPLE.CO M for kadmin/changepw at EXAMPLE.COM, Additional
>>> pre-authentication required
>>> 3 104 Jul 10 17:34:22 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
>>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265262,
>>> etype s {re p=18 tkt=18 ses=18}, davidc at EXAMPLE.COM for
>>> kadmin/changepw at EXAMPLE.COM
>>> 4 105 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
>>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH:
>>> kadmin/changepw at E XAMPLE .COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM,
>>> Additional pre-authentication required
>>> 5 106 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
>>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265271,
>>> etype s {re p=18 tkt=18 ses=18}, kadmin/changepw at EXAMPLE.COM for
>>> krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>> 6 107 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): TGS_REQ
>>> (7 etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime
>>> 1247265271, etyp es {r ep=18 tkt=18 ses=18},
>>> kadmin/changepw at EXAMPLE.COM for ldap/ipa1.example.com at EXAMPLE.COM
>>>
>>> I verified that ipa_kpasswd is indeed running.
>> This sequence seem also to indicate that ipa-kpasswd is actually
>> attempting the password change (see kadmin/changepw getting a ticket for
>> the ldap server).
>> I wonder if this is just a timeout issue as it strangely took 9 seconds
>> between kinit getting a ticket and ipa-kpasswd starting to perform a
>> password change. So presumably the whole operation took more.
>
>> If you "time" kinit how long does it take to return the error ?
>
>> If you re-run kinit what do you get ?
>> Does it accept the old password or does it require the new one to
>> succeed ?
>
Simo.
It is pretty fast actually, no latency at all.
When I use kinit and it prompts me for a password, I have to use the
password that I set via the UI, anything else and I get an error that
the passord is incorrect.
This is what I get when I use the password set in the UI via the admin
account:
Password for davidc at EXAMPLE.COM:
Password expired. You must change it now.
Enter new password:
Enter it again:
kinit(v5): Password change failed while getting initial credentials
David
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkpbTboACgkQ5B+8XEnAvqsu1gCfdouzvILrepKxRU5yKWR/rkLE
Qr0AnRRQ0ttacfzfxBLwEpurB4NWz9X5
=KPFa
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list