[Freeipa-users] Initial login on RHEL 6 fails

Dmitri Pal dpal at redhat.com
Mon Jan 9 20:33:30 UTC 2012 

On 01/09/2012 02:16 PM, Erinn Looney-Triggs wrote:
> For a users very first, (as in never logged in before and will have to
> set new password), login attempt via GDM, the password change will fail
> and the user will be unable to log in.
>
> Now if the user has already set a password the login works fine. I
> haven't tested after the password expires but I suspect it will be the
> same as above.
>
> The salient errors (I believe) in the logs are the following:
>
> Jan  9 18:33:34 host.name pam: gdm-password[5056]:
> pam_unix(gdm-password:auth): authe
> ntication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
> user=user_name
> Jan  9 18:33:34 host.name pam: gdm-password[5056]:
> pam_sss(gdm-password:auth): system
>  info: [Password has expired]
> Jan  9 18:33:34 host.name pam: gdm-password[5056]:
> pam_sss(gdm-password:auth): authen
> tication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=user_name
> Jan  9 18:33:34 host.name pam: gdm-password[5056]:
> pam_sss(gdm-password:auth): receiv
> ed for user user_name: 12 (Authentication token is no longer valid; new
> one r
> equired)
> Jan  9 18:33:35 host.name pam: gdm-password[5056]:
> pam_sss(gdm-password:account): Use
> r info message: Password expired. Change your password now.
> Jan  9 18:33:35 host.name pam: gdm-password[5056]:
> pam_unix(gdm-password:chauthtok): user "user_name" does not exist in
> /etc/passwd
> Jan  9 18:33:51 host.name pam: gdm-password[5056]:
> pam_unix(gdm-password:chauthtok): user "user_name" does not exist in
> /etc/passwd
> Jan  9 18:33:52 host.name pam: gdm-password[5056]:
> pam_sss(gdm-password:chauthtok): system info: [Generic error (see e-text)]
> Jan  9 18:33:52 host.name pam: gdm-password[5056]:
> pam_sss(gdm-password:chauthtok): User info message: Password change
> failed. Server message: Failed to decrypt password
> Jan  9 18:33:52 host.name pam: gdm-password[5056]:
> pam_sss(gdm-password:chauthtok): Password change failed for user
> user_name: 20 (Authentication token manipulation error)
>
> The KDC logs, don't shed a huge amount of light:
> Jan 09 18:33:34 ipa.server krb5kdc[2379](info): AS_REQ (4 etypes {18 17 16
> 23}) 74.93.225.129: CLIENT KEY EXPIRED: user_name at REALM.COM for
> krbtgt/REALM.COM at REALM.COM, Password has expired
> Jan 09 18:33:34 ipa.server krb5kdc[2377](info): AS_REQ (4 etypes {18 17 16
> 23}) 74.93.225.129: NEEDED_PREAUTH: user_name at REALM.COM for kadmin/changepw@
> REALM.COM, Additional pre-authentication required
> Jan 09 18:33:34 ipa.server krb5kdc[2375](info): AS_REQ (4 etypes {18 17 16
> 23}) 74.93.225.129: ISSUE: authtime 1326134014, etypes {rep=18 tkt=18
> ses=18}, user_name at REALM.COM for kadmin/changepw at REALM.COM
> Jan 09 18:33:39 ipa.server krb5kdc[2375](info): AS_REQ (4 etypes {18 17 16
> 23}) 74.93.225.129: NEEDED_PREAUTH: user_name at REALM.COM for kadmin/changepw@
> REALM.COM, Additional pre-authentication required
> Jan 09 18:33:39 ipa.server krb5kdc[2382](info): AS_REQ (4 etypes {18 17 16
> 23}) 74.93.225.129: ISSUE: authtime 1326134019, etypes {rep=18 tkt=18
> ses=18}, user_name at REALM.COM for kadmin/changepw at REALM.COM
> Jan 09 18:33:51 ipa.server krb5kdc[2382](info): AS_REQ (4 etypes {18 17 16
> 23}) 74.93.225.129: NEEDED_PREAUTH: user_name at REALM.COM for kadmin/changepw@
> REALM.COM, Additional pre-authentication required
>
> After doing some testing while writing this message it appears that
> kpasswd and even the sshd login fail as well in the same way.
>
> A copy of /etc/pam.d/system-auth for completeness:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_fprintd.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_sss.so use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3 type=
> minlen=14       dcredit=-1      ucredit=-1      ocredit=-1      lcredit=0
> password    sufficient    pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok   remember=12
> password    sufficient    pam_sss.so use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     optional      pam_oddjob_mkhomedir.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_sss.so
> session optional        pam_motd.so     motd=/etc/motd
>
> Let me know any thoughts on the matter,
>
> -Erinn
>
>

Did you create a user and added a password for him?
ipa user-add ...
ipa passwd ...

Can you please provide the output of the:

ipa user-show <user> --raw --all

before and after you try?


>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120109/50a0ebe6/attachment.htm>

More information about the Freeipa-users mailing list