[Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords

Rob Crittenden rcritten at redhat.com
Tue Mar 22 13:45:25 UTC 2011 

Andy Singleton wrote:
> Hello,
>
> I am trying to install a rhel6 machine with the ipa-1.2.2 client.
>
> Everything appears to work fine, with the exception of updating users
> passwords from the client.
>
>  From the user perspective, I get this:
>
> /Changing password for user andytest./
>
> /Kerberos 5 Password: /
>
> /New password: /
>
> /Retype new password: /
>
> /passwd: Authentication token manipulation error/
>
>  From the local secure log, I see this:
>
> /Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
> "andytest" does not exist in /etc/passwd/
>
> /Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
> "andytest" does not exist in /etc/passwd/
>
> /Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change
> failed for andytest at LIVE.TIPP24.NET: Cannot contact any KDC for
> requested realm/
>
> There are no local or network firewalls between the client and the IPA
> server, and every other piece of IPA functionality appears to work fine.
>
> On the IPA server itself, I see this in krb5kdc:
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth
> type found: Success
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
> 17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andytest at LIVE.TIPP24.NET for
> kadmin/changepw at LIVE.TIPP24.NET, Preauthentication failed
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
> 17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andytest at LIVE.TIPP24.NET for
> kadmin/changepw at LIVE.TIPP24.NET, Additional pre-authentication required
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
> 17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18
> tkt=18 ses=18}, andytest at LIVE.TIPP24.NET for
> kadmin/changepw at LIVE.TIPP24.NET <mailto:kadmin/changepw at LIVE.TIPP24.NET>
>
> nsswitch.conf has the usual stuff:
>
> /passwd: files ldap/
>
> /shadow: files ldap/
>
> /group: files ldap/
>
> I’m not sure what else to check.
>
> Andy

Is ipa_kpasswd running on the IPA server?

rob

More information about the Freeipa-users mailing list