[Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords
Dmitri Pal
dpal at redhat.com
Tue Mar 22 17:12:48 UTC 2011
On 03/22/2011 09:54 AM, Dmitri Pal wrote:
> On 03/22/2011 06:11 AM, Andy Singleton wrote:
>> Hello,
>>
>>
>>
>> I am trying to install a rhel6 machine with the ipa-1.2.2 client.
>>
>> Everything appears to work fine, with the exception of updating users
>> passwords from the client.
>>
>>
>>
>> >From the user perspective, I get this:
>>
>>
>>
>> Changing password for user andytest.
>>
>> Kerberos 5 Password:
>>
>> New password:
>>
>> Retype new password:
>>
>> passwd: Authentication token manipulation error
>>
>>
>>
>> >From the local secure log, I see this:
>>
>>
>>
>> Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
>> "andytest" does not exist in /etc/passwd
>>
>> Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
>> "andytest" does not exist in /etc/passwd
>>
>> Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change
>> failed for andytest at LIVE.TIPP24.NET: Cannot contact any KDC for
>> requested realm
>>
>>
>>
>> There are no local or network firewalls between the client and the IPA
>> server, and every other piece of IPA functionality appears to work fine.
>>
>>
>>
>> On the IPA server itself, I see this in krb5kdc:
>>
>> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth
>> type found: Success
>>
>> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
>> 17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andytest at LIVE.TIPP24.NET for
>> kadmin/changepw at LIVE.TIPP24.NET, Preauthentication failed
>>
>> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
>> 17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andytest at LIVE.TIPP24.NET for
>> kadmin/changepw at LIVE.TIPP24.NET, Additional pre-authentication required
>>
>> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
>> 17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18
>> tkt=18 ses=18}, andytest at LIVE.TIPP24.NET for
>> kadmin/changepw at LIVE.TIPP24.NET
>>
>>
>>
>> nsswitch.conf has the usual stuff:
>>
>>
>>
>> passwd: files ldap
>>
>> shadow: files ldap
>>
>> group: files ldap
>>
>>
>>
>> I'm not sure what else to check.
>>
>>
>>
>> Andy
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> Sorry, clicked the send button before typed anything.
> It looks like this is the result of the OID fix we made some time ago.
> We recommend using ipa-client 2.0 with the latest IPA.
> The client in RHEL 6.0 has the bug related to password change that
> prevents it to work with IPA v2.
> There is no fix for 6.0 yet and since ipa-client in RHEL 6.0 is in tech
> preview there is no plan to release any asynch errata for it.
> RHEL 6.1 will carry the right version of ipa-client.
> We might be able to build an upstream version of the ipa-client for RHEL
> but not sooner we release the 2.0 (any time now...).
>
>
Please ignore my reply.
Mixed the two issues on the list.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110322/01a2c829/attachment.htm>
More information about the Freeipa-users
mailing list