[Freeipa-users] Strange issue regarding password change

Eivind Olsen eivind at aminor.no
Fri Sep 28 12:08:28 UTC 2012 

I've noticed an issue here. It's most likely something I've managed to do
the wrong way, or something really obvious I'm missing, but at the moment
I can't see what it is (otherwise I'd fix it instead of asking for help
here :))

I have a setup with some RHEL 6.3 boxes, using the IPA bundled with that
OS (ipa-client-2.2.0-16, and same version of the ipa-server as well).

When I create new users, I assign them a password, and they're required to
change their password at the first login. My problem is that I can only
get this password change to work when I ssh to the KDC/IPA server - it
fails if I ssh to one of the clients instead. After I have changed the
password on the KDC, I can ssh to the clients.

Here's an example of what it looks like when I ssh from a laptop that's
not part of the kerberos realm, to one of the clients:

[eio at lappy ~]$ ssh eolsen at libresse.domainname
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
Password change failed. Server message: Failed decrypting request
Password:
Password expired. Change your password now.
Current Password:
Password:
Permission denied
(publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).
[eio at lappy ~]$

In the /var/log/messages on the server "libresse", I see:

Sep 28 10:39:15 libresse [sssd[krb5_child[14820]]]: Password has expired
Sep 28 10:39:15 libresse [sssd[krb5_child[14820]]]: Password has expired
Sep 28 10:39:48 libresse [sssd[krb5_child[14830]]]: Password has expired
Sep 28 10:39:48 libresse [sssd[krb5_child[14830]]]: Password has expired
Sep 28 10:39:58 libresse [sssd[krb5_child[14837]]]: Decrypt integrity
check failed
Sep 28 10:40:01 libresse [sssd[krb5_child[14845]]]: Password has expired
Sep 28 10:40:01 libresse [sssd[krb5_child[14845]]]: Decrypt integrity
check failed

Here's what it looks like when I ssh to the KDC instead:

[eio at lappy ~]$ ssh eolsen at kdc.domainname
eolsen at kdc.domainname's password:
Password expired. Change your password now.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user eolsen.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to kdc.domainname closed.
[eio at lappy ~]$

...and I can now ssh to all the servers just fine:


[eio at lappy ~]$ ssh eolsen at libresse.domainname
Password:
Last login: Fri Sep 28 11:12:28 2012 from ....
Welcome to libresse.domainname (RedHat 6.3 x86_64).

[eolsen at libresse ~]$

Some additional information:
lappy and libresse are using RFC1918 addresses, and don't have proper
reverse DNS. kdc is using official IP address with proper reverse DNS.

Are anyone able to see what I've done wrong here, or have suggestions on
where I should be digging deeper?

Regards
Eivind Olsen
eivind at aminor.no

More information about the Freeipa-users mailing list