[Freeipa-users] Password token manipulation errors after upgrade

[Ian Levesque]

Hello,

I've upgraded a FreeIPA server to RHEL 6.2 (from 6.1), putting me at version 2.1.3-9. Since the upgrade, I haven't been able to change any existing passwords, all I get is an "Authentication token manipulation error". Newly-created accounts don't have this problem. I /can/ login using my existing password, but one user's password is expired and is effectively locked out until I can figure this out. Any ideas?

Best,
Ian


-bash-4.1$ whoami
ian

-bash-4.1$ passwd
Changing password for user ian.
Current Password: 
New password: 
Retype new password: 
Password change failed. Server message: Password change failed
passwd: Authentication token manipulation error


krb5kdc.log:

krb5kdc[1558](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.10.54: NEEDED_PREAUTH: ian at SBGRID.ORG for kadmin/changepw at SBGRID.ORG, Additional pre-authentication required
krb5kdc[1558](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.10.54: ISSUE: authtime 1325719595, etypes {rep=18 tkt=18 ses=18}, ian at SBGRID.ORG for kadmin/changepw at SBGRID.ORG
krb5kdc[1558](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.10.54: NEEDED_PREAUTH: kadmin/changepw at SBGRID.ORG for krbtgt/SBGRID.ORG at SBGRID.ORG, Additional pre-authentication required
krb5kdc[1558](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.10.54: ISSUE: authtime 1325719595, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at SBGRID.ORG for krbtgt/SBGRID.ORG at SBGRID.ORG
krb5kdc[1558](info): TGS_REQ (4 etypes {18 17 16 23}) 10.0.10.54: ISSUE: authtime 1325719595, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at SBGRID.ORG for ldap/sbgrid-directory.in.hwlab at SBGRID.ORG

messages:

passwd: pam_sss(passwd:chauthtok): system info: [Generic error (see e-text)]
passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Password change failed
passwd: pam_sss(passwd:chauthtok): Password change failed for user ian: 20 (Authentication token manipulation error)