[Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords

Andy Singleton Andy.Singleton at tipp24os.co.uk
Tue Mar 22 15:54:29 UTC 2011 

Yes ipa_kpasswd is running.

I have some additional information: kpasswd on the client does work,
passwd does not.

This is fine, except when a user attempts to connect when they need a
password reset - They get prompted to change it, but then the same error
as before occurs.

Andy

-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com] 
Sent: Tuesday, March 22, 2011 1:45 PM
To: Andy Singleton
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user
passwords

Andy Singleton wrote:
> Hello,
>
> I am trying to install a rhel6 machine with the ipa-1.2.2 client.
>
> Everything appears to work fine, with the exception of updating users
> passwords from the client.
>
>  From the user perspective, I get this:
>
> /Changing password for user andytest./
>
> /Kerberos 5 Password: /
>
> /New password: /
>
> /Retype new password: /
>
> /passwd: Authentication token manipulation error/
>
>  From the local secure log, I see this:
>
> /Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
> "andytest" does not exist in /etc/passwd/
>
> /Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
> "andytest" does not exist in /etc/passwd/
>
> /Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change
> failed for andytest at LIVE.TIPP24.NET: Cannot contact any KDC for
> requested realm/
>
> There are no local or network firewalls between the client and the IPA
> server, and every other piece of IPA functionality appears to work
fine.
>
> On the IPA server itself, I see this in krb5kdc:
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth
> type found: Success
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes
{18
> 17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andytest at LIVE.TIPP24.NET for
> kadmin/changepw at LIVE.TIPP24.NET, Preauthentication failed
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes
{18
> 17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andytest at LIVE.TIPP24.NET for
> kadmin/changepw at LIVE.TIPP24.NET, Additional pre-authentication
required
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes
{18
> 17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18
> tkt=18 ses=18}, andytest at LIVE.TIPP24.NET for
> kadmin/changepw at LIVE.TIPP24.NET
<mailto:kadmin/changepw at LIVE.TIPP24.NET>
>
> nsswitch.conf has the usual stuff:
>
> /passwd: files ldap/
>
> /shadow: files ldap/
>
> /group: files ldap/
>
> I'm not sure what else to check.
>
> Andy

Is ipa_kpasswd running on the IPA server?

rob

More information about the Freeipa-users mailing list