[Freeipa-users] Initial login on RHEL 6 fails
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Mon Jan 9 21:28:55 UTC 2012
On 01/09/2012 11:33 AM, Dmitri Pal wrote:
> On 01/09/2012 02:16 PM, Erinn Looney-Triggs wrote:
>> For a users very first, (as in never logged in before and will have to
>> set new password), login attempt via GDM, the password change will fail
>> and the user will be unable to log in.
>>
>> Now if the user has already set a password the login works fine. I
>> haven't tested after the password expires but I suspect it will be the
>> same as above.
>>
>> The salient errors (I believe) in the logs are the following:
>>
>> Jan 9 18:33:34 host.name pam: gdm-password[5056]:
>> pam_unix(gdm-password:auth): authe
>> ntication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
>> user=user_name
>> Jan 9 18:33:34 host.name pam: gdm-password[5056]:
>> pam_sss(gdm-password:auth): system
>> info: [Password has expired]
>> Jan 9 18:33:34 host.name pam: gdm-password[5056]:
>> pam_sss(gdm-password:auth): authen
>> tication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=user_name
>> Jan 9 18:33:34 host.name pam: gdm-password[5056]:
>> pam_sss(gdm-password:auth): receiv
>> ed for user user_name: 12 (Authentication token is no longer valid; new
>> one r
>> equired)
>> Jan 9 18:33:35 host.name pam: gdm-password[5056]:
>> pam_sss(gdm-password:account): Use
>> r info message: Password expired. Change your password now.
>> Jan 9 18:33:35 host.name pam: gdm-password[5056]:
>> pam_unix(gdm-password:chauthtok): user "user_name" does not exist in
>> /etc/passwd
>> Jan 9 18:33:51 host.name pam: gdm-password[5056]:
>> pam_unix(gdm-password:chauthtok): user "user_name" does not exist in
>> /etc/passwd
>> Jan 9 18:33:52 host.name pam: gdm-password[5056]:
>> pam_sss(gdm-password:chauthtok): system info: [Generic error (see e-text)]
>> Jan 9 18:33:52 host.name pam: gdm-password[5056]:
>> pam_sss(gdm-password:chauthtok): User info message: Password change
>> failed. Server message: Failed to decrypt password
>> Jan 9 18:33:52 host.name pam: gdm-password[5056]:
>> pam_sss(gdm-password:chauthtok): Password change failed for user
>> user_name: 20 (Authentication token manipulation error)
>>
>> The KDC logs, don't shed a huge amount of light:
>> Jan 09 18:33:34 ipa.server krb5kdc[2379](info): AS_REQ (4 etypes {18 17 16
>> 23}) 74.93.225.129: CLIENT KEY EXPIRED: user_name at REALM.COM <mailto:user_name at REALM.COM> for
>> krbtgt/REALM.COM at REALM.COM <mailto:krbtgt/REALM.COM at REALM.COM>, Password has expired
>> Jan 09 18:33:34 ipa.server krb5kdc[2377](info): AS_REQ (4 etypes {18 17 16
>> 23}) 74.93.225.129: NEEDED_PREAUTH: user_name at REALM.COM <mailto:user_name at REALM.COM> for kadmin/changepw@
>> REALM.COM, Additional pre-authentication required
>> Jan 09 18:33:34 ipa.server krb5kdc[2375](info): AS_REQ (4 etypes {18 17 16
>> 23}) 74.93.225.129: ISSUE: authtime 1326134014, etypes {rep=18 tkt=18
>> ses=18}, user_name at REALM.COM <mailto:user_name at REALM.COM> for kadmin/changepw at REALM.COM <mailto:kadmin/changepw at REALM.COM>
>> Jan 09 18:33:39 ipa.server krb5kdc[2375](info): AS_REQ (4 etypes {18 17 16
>> 23}) 74.93.225.129: NEEDED_PREAUTH: user_name at REALM.COM <mailto:user_name at REALM.COM> for kadmin/changepw@
>> REALM.COM, Additional pre-authentication required
>> Jan 09 18:33:39 ipa.server krb5kdc[2382](info): AS_REQ (4 etypes {18 17 16
>> 23}) 74.93.225.129: ISSUE: authtime 1326134019, etypes {rep=18 tkt=18
>> ses=18}, user_name at REALM.COM <mailto:user_name at REALM.COM> for kadmin/changepw at REALM.COM <mailto:kadmin/changepw at REALM.COM>
>> Jan 09 18:33:51 ipa.server krb5kdc[2382](info): AS_REQ (4 etypes {18 17 16
>> 23}) 74.93.225.129: NEEDED_PREAUTH: user_name at REALM.COM <mailto:user_name at REALM.COM> for kadmin/changepw@
>> REALM.COM, Additional pre-authentication required
>>
>> After doing some testing while writing this message it appears that
>> kpasswd and even the sshd login fail as well in the same way.
>>
>> A copy of /etc/pam.d/system-auth for completeness:
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth required pam_env.so
>> auth sufficient pam_fprintd.so
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 500 quiet
>> auth sufficient pam_sss.so use_first_pass
>> auth required pam_deny.so
>>
>> account required pam_unix.so
>> account sufficient pam_localuser.so
>> account sufficient pam_succeed_if.so uid < 500 quiet
>> account [default=bad success=ok user_unknown=ignore] pam_sss.so
>> account required pam_permit.so
>>
>> password requisite pam_cracklib.so try_first_pass retry=3 type=
>> minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0
>> password sufficient pam_unix.so sha512 shadow nullok
>> try_first_pass use_authtok remember=12
>> password sufficient pam_sss.so use_authtok
>> password required pam_deny.so
>>
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> session optional pam_oddjob_mkhomedir.so
>> session [success=1 default=ignore] pam_succeed_if.so service in
>> crond quiet use_uid
>> session required pam_unix.so
>> session optional pam_sss.so
>> session optional pam_motd.so motd=/etc/motd
>>
>> Let me know any thoughts on the matter,
>>
>> -Erinn
>>
>>
>
> Did you create a user and added a password for him?
> ipa user-add ...
> ipa passwd ...
>
> Can you please provide the output of the:
>
> ipa user-show <user> --raw --all
>
> before and after you try?
>
>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
I didn't do it via the CLI, but rather the webui. Other than that yes.
For this run I did it via the CLI::
erinn at ipa ~ $ ipa user-add dev-test
First name: Dev
Last name: Test
---------------------
Added user "dev-test"
---------------------
User login: dev-test
First name: Dev
Last name: Test
Full name: Dev Test
Display name: Dev Test
Initials: DT
Home directory: /home/dev-test
GECOS field: Dev Test
Login shell: /bin/bash
Kerberos principal: dev-test at example.COM
UID: 1607600013
GID: 1607600013
Keytab: False
Password: False
erinn at ipa ~ $ ipa passwd dev-test
New Password:
Enter New Password again to verify:
------------------------------------------
Changed password for "dev-test at example.COM"
------------------------------------------
erinn at ipa ~ $ ipa user-show dev-test --raw --all
dn: uid=dev-test,cn=users,cn=accounts,dc=example,dc=com
uid: dev-test
givenname: Dev
sn: Test
cn: Dev Test
displayname: Dev Test
initials: DT
homedirectory: /home/dev-test
gecos: Dev Test
loginshell: /bin/bash
krbprincipalname: dev-test at example.COM
uidnumber: 1607600013
gidnumber: 1607600013
nsaccountlock: False
has_keytab: True
has_password: True
ipauniqueid: 190c6a96-3b07-11e1-8f2b-f04da2090ae0
krbextradata: AAgBAA==
krbextradata: AAIeWQtPcm9vdC9hZG1pbkBBQkFRSVMuQ09NAA==
krblastpwdchange: 20120109211614Z
krbloginfailedcount: 0
krbpasswordexpiration: 20120109211614Z
krbpwdpolicyreference:
cn=global_policy,cn=example.COM,cn=kerberos,dc=example,dc=com
memberof: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
mepmanagedentry: cn=dev-test,cn=groups,cn=accounts,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: organizationalperson
objectclass: inetorgperson
objectclass: inetuser
objectclass: posixaccount
objectclass: krbprincipalaux
objectclass: krbticketpolicyaux
objectclass: ipaobject
objectclass: mepOriginEntry
After the attempt:
dn: uid=dev-test,cn=users,cn=accounts,dc=example,dc=com
uid: dev-test
givenname: Dev
sn: Test
cn: Dev Test
displayname: Dev Test
initials: DT
homedirectory: /home/dev-test
gecos: Dev Test
loginshell: /bin/bash
krbprincipalname: dev-test at example.COM
uidnumber: 1607600013
gidnumber: 1607600013
nsaccountlock: False
has_keytab: True
has_password: True
ipauniqueid: 190c6a96-3b07-11e1-8f2b-f04da2090ae0
krbextradata: AAIeWQtPcm9vdC9hZG1pbkBBQkFRSVMuQ09NAA==
krbextradata: AAgBAA==
krblastpwdchange: 20120109211614Z
krblastsuccessfulauth: 20120109212104Z
krbloginfailedcount: 0
krbpasswordexpiration: 20120109211614Z
krbpwdpolicyreference:
cn=global_policy,cn=example.COM,cn=kerberos,dc=example,dc=com
memberof: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
memberof: cn=desktop,cn=groups,cn=accounts,dc=example,dc=com
memberofindirect:
ipauniqueid=a212d7e0-3250-11e1-8dcb-f04da2090ae0,cn=hbac,dc=example,dc=com
mepmanagedentry: cn=dev-test,cn=groups,cn=accounts,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: organizationalperson
objectclass: inetorgperson
objectclass: inetuser
objectclass: posixaccount
objectclass: krbprincipalaux
objectclass: krbticketpolicyaux
objectclass: ipaobject
objectclass: mepOriginEntry
A couple of additional notes that may be important. The system to which
I am attempting to authenticate lives in private IP space whereas the
IPA server is on a public IP. Second HBAC is in effect on the host so
the user must be a member of the desktop group in order to authenticate.
These may not have any bearing, or they may who knows.
-Erinn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120109/80823c61/attachment.sig>
More information about the Freeipa-users
mailing list