[Freeipa-users] Password token manipulation errors after upgrade
Dmitri Pal
dpal at redhat.com
Wed Jan 4 23:47:37 UTC 2012
On 01/04/2012 06:32 PM, Ian Levesque wrote:
> Hello,
>
> I've upgraded a FreeIPA server to RHEL 6.2 (from 6.1), putting me at version 2.1.3-9. Since the upgrade, I haven't been able to change any existing passwords, all I get is an "Authentication token manipulation error". Newly-created accounts don't have this problem. I /can/ login using my existing password, but one user's password is expired and is effectively locked out until I can figure this out. Any ideas?
First of all in place upgrade from tech preview 6.1 bits to 6.2 is not
supported by Red Hat as 6.2 is the first supported release.
This being said you might try to remove passwords.
Can you use some old account as a test, remove the kerberos password
attribute and then follow the migration procedure for it, i.e.
authenticate using special migration UI page or with SSSD in migration
mode? If that works then you might want to do it for all old users.
> Best,
> Ian
>
>
> -bash-4.1$ whoami
> ian
>
> -bash-4.1$ passwd
> Changing password for user ian.
> Current Password:
> New password:
> Retype new password:
> Password change failed. Server message: Password change failed
> passwd: Authentication token manipulation error
>
>
> krb5kdc.log:
>
> krb5kdc[1558](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.10.54: NEEDED_PREAUTH: ian at SBGRID.ORG for kadmin/changepw at SBGRID.ORG, Additional pre-authentication required
> krb5kdc[1558](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.10.54: ISSUE: authtime 1325719595, etypes {rep=18 tkt=18 ses=18}, ian at SBGRID.ORG for kadmin/changepw at SBGRID.ORG
> krb5kdc[1558](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.10.54: NEEDED_PREAUTH: kadmin/changepw at SBGRID.ORG for krbtgt/SBGRID.ORG at SBGRID.ORG, Additional pre-authentication required
> krb5kdc[1558](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.10.54: ISSUE: authtime 1325719595, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at SBGRID.ORG for krbtgt/SBGRID.ORG at SBGRID.ORG
> krb5kdc[1558](info): TGS_REQ (4 etypes {18 17 16 23}) 10.0.10.54: ISSUE: authtime 1325719595, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at SBGRID.ORG for ldap/sbgrid-directory.in.hwlab at SBGRID.ORG
>
> messages:
>
> passwd: pam_sss(passwd:chauthtok): system info: [Generic error (see e-text)]
> passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Password change failed
> passwd: pam_sss(passwd:chauthtok): Password change failed for user ian: 20 (Authentication token manipulation error)
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list