[Freeipa-users] can't reset password on fedora 13
Konstantin Kozlov
kozlov at spbcas.ru
Tue Jun 8 05:13:05 UTC 2010
Hi,
I apologize for not reporting my information on the list earlier.
I have a working installation of FreeIPA v.1 and a few days ago I added
a F13 client.
I've installed everything from official repos. SSSD caused problems
because ipa-client-install made a 'default' domain in sssd.conf and
sssd was looking for SRV records in DNS for LDAP and KDC with
'.default' suffix. There are no such records and other FreeIPA clients
are happy with that so I add those lines to sssd.conf
[domain/default]
....
krb5_kdcip = XXX.XXX.XXX.XXX
ldap_uri = ldap://ldap.example.com
....
Kostya
On Mon, 07 Jun 2010 10:04:19 -0400
Stephen Gallagher <sgallagh at redhat.com> wrote:
> On 06/06/2010 06:06 PM, James Po wrote:
> > I've installed (from yum) on fedora 13, created a user but cannot
> > ssh in as that user - it fails to reset the password.
> >
> > I've disabled iptables& SELinux (for testing purposes) to no avail.
> >
> >
> > macbook:~ james$ ssh bshit at 192.168.5.58
> > bshit at 192.168.5.58's password:
> > Warning: Your password will expire in less than one hour.
> > Password expired. Change your password now.
> > Last login: Sun Jun 6 22:25:17 2010 from 192.168.5.249
> > WARNING: Your password has expired.
> > You must change your password now and login again!
> > Changing password for user bshit.
> > Current Password:
> > New password:
> > Retype new password:
> > Warning: Your password will expire in less than one hour.
> > Warning: Your password will expire in less than one hour.
> > passwd: Authentication token manipulation error
> > Connection to 192.168.5.58 closed.
> >
> >
> > /var/log/secure:
> >
> > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): system info:
> > [Cannot contact any KDC for requested realm]
> > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): User info
> > message: Warning: Your password will expire in less than one hour.
> > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): system info:
> > [Cannot contact any KDC for requested realm]
> > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): User info
> > message: Warning: Your password will expire in less than one hour.
> > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): Password
> > change failed for user bshit: 22 (Authentication token lock busy)
> > Jun 6 22:32:30 ipa passwd: gkr-pam: couldn't update the login
> > keyring password: no old password was entered
> > Jun 6 22:32:32 ipa sshd[1635]: pam_unix(sshd:session): session
> > closed for user bshit
> >
> >
> > /var/log/krb5kdc.log:
> >
> > Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info):
> > AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: NEEDED_PREAUTH:
> > bshit at DEV.WEBSCALABILITY.COM for
> > kadmin/changepw at DEV.WEBSCALABILITY.COM, Additional
> > pre-authentication required
> > Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info):
> > AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: ISSUE: authtime
> > 1275859950, etypes {rep=18 tkt=18 ses=18},
> > bshit at DEV.WEBSCALABILITY.COM for
> > kadmin/changepw at DEV.WEBSCALABILITY.COM
> > Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info):
> > AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: NEEDED_PREAUTH:
> > bshit at DEV.WEBSCALABILITY.COM for
> > kadmin/changepw at DEV.WEBSCALABILITY.COM, Additional
> > pre-authentication required
> > Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info):
> > AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: ISSUE: authtime
> > 1275859950, etypes {rep=18 tkt=18 ses=18},
> > bshit at DEV.WEBSCALABILITY.COM for
> > kadmin/changepw at DEV.WEBSCALABILITY.COM
>
>
> This looks like an error in the SSSD. Could you
> edit /etc/sssd/sssd.conf and change debug_level=0 to debug_level=9
> and then try this again. Then examine /var/log/sssd/krb5_child.log
> and /var/log/sssd/sssd_<your_domain>.log for clues?
>
More information about the Freeipa-users
mailing list