[Freeipa-users] Strange issue regarding password change

Sumit Bose sbose at redhat.com
Fri Sep 28 14:43:14 UTC 2012 

On Fri, Sep 28, 2012 at 03:59:59PM +0200, Eivind Olsen wrote:
> 
> I wrote:
> ...
> > In the /var/log/messages on the server "libresse", I see:
> >
> > Sep 28 10:39:15 libresse [sssd[krb5_child[14820]]]: Password has expired
> > Sep 28 10:39:15 libresse [sssd[krb5_child[14820]]]: Password has expired
> > Sep 28 10:39:48 libresse [sssd[krb5_child[14830]]]: Password has expired
> > Sep 28 10:39:48 libresse [sssd[krb5_child[14830]]]: Password has expired
> > Sep 28 10:39:58 libresse [sssd[krb5_child[14837]]]: Decrypt integrity
> > check failed
> > Sep 28 10:40:01 libresse [sssd[krb5_child[14845]]]: Password has expired
> > Sep 28 10:40:01 libresse [sssd[krb5_child[14845]]]: Decrypt integrity
> > check failed
> 
> During the same time, this is what I see in /var/log/secure:
> 
> Sep 28 10:39:15 libresse sshd[14819]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=host8560.domain.internal  user=eolsen
> Sep 28 10:39:15 libresse sshd[14819]: pam_sss(sshd:auth): system info:
> [Password has expired]
> Sep 28 10:39:15 libresse sshd[14819]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=host8560.domain.internal user=eolsen
> Sep 28 10:39:15 libresse sshd[14819]: pam_sss(sshd:auth): received for
> user eolsen: 12 (Authentication token is no longer valid; new one
> required)
> Sep 28 10:39:15 libresse sshd[14819]: pam_sss(sshd:account): User info
> message: Password expired. Change your password now.
> Sep 28 10:39:15 libresse sshd[14819]: pam_unix(sshd:chauthtok): user
> "eolsen" does not exist in /etc/passwd
> Sep 28 10:39:28 libresse sshd[14819]: pam_unix(sshd:chauthtok): user
> "eolsen" does not exist in /etc/passwd
> Sep 28 10:39:28 libresse sshd[14819]: pam_sss(sshd:chauthtok): system
> info: [Generic error (see e-text)]
> Sep 28 10:39:28 libresse sshd[14819]: pam_sss(sshd:chauthtok): User info
> message: Password change failed. Server message: Failed decrypting request
> Sep 28 10:39:28 libresse sshd[14819]: pam_sss(sshd:chauthtok): Password
> change failed for user eolsen: 20 (Authentication token manipulation
> error)

hmm, any chance there is a firewall doing NAT between the client and the
KDC? Kerberos password changes do not work reliable over NAT. Afaik
there is some work in progress to make it possible but for the time
being it will not work.

HTH

bye,
Sumit

> Sep 28 10:39:48 libresse sshd[14824]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=host8560.domain.internal  user=eolsen
> Sep 28 10:39:48 libresse sshd[14824]: pam_sss(sshd:auth): system info:
> [Password has expired]
> Sep 28 10:39:48 libresse sshd[14824]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=host8560.domain.internal user=eolsen
> Sep 28 10:39:48 libresse sshd[14824]: pam_sss(sshd:auth): received for
> user eolsen: 12 (Authentication token is no longer valid; new one
> required)
> Sep 28 10:39:48 libresse sshd[14824]: pam_sss(sshd:account): User info
> message: Password expired. Change your password now.
> Sep 28 10:39:48 libresse sshd[14824]: pam_unix(sshd:chauthtok): user
> "eolsen" does not exist in /etc/passwd
> Sep 28 10:39:58 libresse sshd[14824]: pam_sss(sshd:chauthtok): system
> info: [Decrypt integrity check failed]
> Sep 28 10:39:58 libresse sshd[14824]: pam_sss(sshd:chauthtok):
> Authentication failed for user eolsen: 4 (System error)
> Sep 28 10:39:58 libresse sshd[14810]: error: PAM: Authentication token
> manipulation error for eolsen from host8560.domain.internal
> Sep 28 10:40:01 libresse sshd[14838]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=host8560.domain.internal  user=eolsen
> Sep 28 10:40:01 libresse sshd[14838]: pam_sss(sshd:auth): system info:
> [Decrypt integrity check failed]
> Sep 28 10:40:01 libresse sshd[14838]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=host8560.domain.internal user=eolsen
> Sep 28 10:40:01 libresse sshd[14838]: pam_sss(sshd:auth): received for
> user eolsen: 4 (System error)
> Sep 28 10:40:03 libresse sshd[14810]: error: PAM: Authentication failure
> for eolsen from host8560.domain.internal
> Sep 28 10:40:03 libresse sshd[14811]: Connection closed by 10.83.70.15
> 
> Regards
> Eivind Olsen
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list