[Freeipa-users] User passwords expired

Mon Jul 13 19:12:37 UTC 2009

On Mon, 2009-07-13 at 10:07 -0500, David Christensen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> David Christensen wrote:
> > Simo Sorce wrote:
> >> On Sat, 2009-07-11 at 14:41 -0500, David Christensen wrote:
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA1
> >>>
> >>> Simo Sorce wrote:
> >>>> On Fri, 2009-07-10 at 17:16 -0500, David Christensen wrote:
> >>>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>>> Hash: SHA1
> >>>>>
> >>>>> Every user I add is indicated as their password being expired, assuming
> >>>>> this is normal and this forces users to create their own password when
> >>>>> they first log in (not sure) I tried logging in as a test user.
> >>>> See: http://freeipa.org/page/NewPasswordsExpired
> >>>>
> >>>>> I was prompted with the expired password update now and attempted to do
> >>>>> so.  When I tried to change the password I got an error:  kinit(v5)
> >>>>> password change failed while getting initial credentials.
> >>>>>
> >>>>> What is this error telling me?
> >>>> Is ipa-kpasswd running on your IPA Server ?
> >>>> Do you see errors in /var/log/krb5kdc.log on the server ?
> >>>>
> >>>>> I tried changing the password for the user via the UI but the account is
> >>>>> still indicated as password expired.
> >>>> Expected, see the doc above.
> >>>>
> >>>> Simo.
> >>>>
> >>> Simo,
> >>>
> >>> This is a sample of the log file for the test user I have been using:
> >>>   1 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
> >>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: CLIENT KEY EXPIRED:
> >>> davidc at EXAMPLE.CO    M     for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Password
> >>> has expired
> >>>   2 103 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
> >>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH:
> >>> davidc at EXAMPLE.CO    M for     kadmin/changepw at EXAMPLE.COM, Additional
> >>> pre-authentication required
> >>>   3 104 Jul 10 17:34:22 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
> >>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265262,
> >>> etype    s {re    p=18 tkt=18 ses=18}, davidc at EXAMPLE.COM for
> >>> kadmin/changepw at EXAMPLE.COM
> >>>   4 105 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
> >>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH:
> >>> kadmin/changepw at E    XAMPLE    .COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM,
> >>> Additional pre-authentication required
> >>>   5 106 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
> >>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265271,
> >>> etype    s {re    p=18 tkt=18 ses=18}, kadmin/changepw at EXAMPLE.COM for
> >>> krbtgt/EXAMPLE.COM at EXAMPLE.COM
> >>>   6 107 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): TGS_REQ
> >>> (7 etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime
> >>> 1247265271, etyp    es {r    ep=18 tkt=18 ses=18},
> >>> kadmin/changepw at EXAMPLE.COM for ldap/ipa1.example.com at EXAMPLE.COM
> >>>
> >>> I verified that ipa_kpasswd is indeed running.
> >> This sequence seem also to indicate that ipa-kpasswd is actually
> >> attempting the password change (see kadmin/changepw getting a ticket for
> >> the ldap server).
> >> I wonder if this is just a timeout issue as it strangely took 9 seconds
> >> between kinit getting a ticket and ipa-kpasswd starting to perform a
> >> password change. So presumably the whole operation took more.
> > 
> >> If you "time" kinit how long does it take to return the error ?
> > 
> >> If you re-run kinit what do you get ?
> >> Does it accept the old password or does it require the new one to
> >> succeed ?
> > 
> Simo.
> 
> It is pretty fast actually, no latency at all.
> 
> When I use kinit and it prompts me for a password, I have to use the
> password that I set via the UI, anything else and I get an error that
> the passord is incorrect.
> 
> This is what I get when I use the password set in the UI via the admin
> account:
> 
> Password for davidc at EXAMPLE.COM:
> Password expired.  You must change it now.
> Enter new password:
> Enter it again:
> kinit(v5): Password change failed while getting initial credentials

can you see if there sis any error in /var/log/messages from
ipa-kpasswd ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York