[Freeipa-users] Mountain Lion GUI Login

Davis Goodman davis.goodman at digital-district.ca
Wed Aug 7 21:33:55 UTC 2013 

This is basically the log when I attempt to change the password:

Aug  7 16:59:19 mactestvm.mtl.dd.net SecurityAgent[271]: *** WARNING: -[NSImage compositeToPoint:operation:fraction:] is deprecated in MacOSX 10.8 and later. Please use -[NSImage drawAtPoint:fromRect:operation:fraction:] instead.
Aug  7 16:59:19 mactestvm.mtl.dd.net SecurityAgent[271]: *** WARNING: -[NSImage compositeToPoint:fromRect:operation:fraction:] is deprecated in MacOSX 10.8 and later. Please use -[NSImage drawAtPoint:fromRect:operation:fraction:] instead.
Aug  7 16:59:26 mactestvm.mtl.dd.net SecurityAgent[271]: User info context values set for testuser2
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got user: testuser2
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got ruser: (null)
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got service: authorization
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Context initialised
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Stashing kcm credentials in enviroment for kcminit: testuser2
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got user: testuser2
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got ruser: (null)
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got service: authorization
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Context initialised
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Created principal: testuser2
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done krb5_parse_name()
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got principal: testuser2 at DD.NET
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got password
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done getpwnam()
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Attempting to get forwardable TGT.
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: krb5_sendto_context is called on main thread, its a blocking api
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Attempting to get non-forwardable TGT.
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Kerberos 5 error
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Error krb5_get_init_creds_password(): Password has expired
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done cleanup2
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done cleanup3
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Kerberos 5 refuses you
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): pam_sm_authenticate: ntlm
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): OpenDirectory - The authtok is expired or requires updating.
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800.
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_acct_mgmt(): OpenDirectory - Password expired.
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: Failed to authenticate user <testuser2> (error: 10).
Aug  7 16:59:43 mactestvm.mtl.dd.net WindowServer[97]: 3891612: App SecurityAgent cannot order in untagged windows before login.
Aug  7 16:59:43 mactestvm.mtl.dd.net SecurityAgent[271]: CGSOrderWindowList

Does this rings a bell?


-- 


Davis Goodman
Directeur Informatique  |  IT Manager

5605 Avenue de Gaspé, Suite 408  |  Montréal, QC H2T 2A4 
Tél: +1 (514) 360-3253 x104            Cell: +1 (514) 994-7360 





On 2013-08-07, at 15:41 , Dmitri Pal <dpal at redhat.com> wrote:

> On 08/07/2013 10:27 AM, Davis Goodman wrote:
>> When I mention GUI I'm talking about the Mac OSX Login screen not through a browser
>> 
>> 
>> -- 
>> 
>> 
>> Davis Goodman
>> Directeur Informatique  |  IT Manager
>> 
>> 5605 Avenue de Gaspé, Suite 408  |  Montréal, QC H2T 2A4 
>> Tél: +1 (514) 360-3253 x104            Cell: +1 (514) 994-7360 
>> 
>> 
>> On 2013-08-07, at 10:07 , Rob Crittenden <rcritten at redhat.com> wrote:
>> 
>>> Davis Goodman wrote:
>>>> Hi Brian, Lynn,
>>>> 
>>>> As far as Linux client, this is not my issue for now, I believe the Linux setup is quite straight forward and the password change at first login seems to work without an issue.
>>>> 
>>>> My main concern is on Mountain Lion 10.8.x,
>>>> 
>>>> At this point I've managed to bind the OSX machine to the IPA server without any issue following this guide:
>>>> 
>>>> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8
>>>> 
>>>> I also have all the autmounts configured via LDAP using this: https://ssl.apple.com/business/docs/Autofs.pdf on page 16.
>>>> 
>>>> My main issue right now seems to be at the GUI login. The applet shows up for password change but doesn't seem to do anything. When I press continue the applet comes back and this goes in a loop until I hit "Cancel".
>>>> 
>>>> My IPA versions are as follows:
>>>> ipa-admintools.x86_64                    3.0.0-26.el6_4.4
>>>> ipa-client.x86_64                        3.0.0-26.el6_4.4
>>>> ipa-gothic-fonts.noarch                  003.02-4.2.el6
>>>> ipa-mincho-fonts.noarch                  003.02-3.1.el6
>>>> ipa-pgothic-fonts.noarch                 003.02-4.1.el6
>>>> ipa-pmincho-fonts.noarch                 003.02-3.1.el6
>>>> ipa-python.x86_64                        3.0.0-26.el6_4.4
>>>> ipa-server.x86_64                        3.0.0-26.el6_4.4
>>>> ipa-server-selinux.x86_64                3.0.0-26.el6_4.4
>>>> ipa-server-trust-ad.x86_64               3.0.0-26.el6_4.4
>>>> 
>>>> As mentioned in my first post, if I make the password change at the terminal prompt, I am then able to login without a password change prompt.
>>>> 
>>>> Not sure if I'll be able to go through this issue unless someone as already experienced this.
>>>> 
>>>> Davis
>>> 
>>> What browser are you using?
>>> 
>>> Have you tried the GUI with a new user from a Linux client?
>>> 
>>> I'm thinking this is a browser issue rather than something with OSX as the majority of the work is done on the server.
>>> 
>>> rob
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> Freeipa-users mailing list
>> 
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> Not an expert on OSX.
> I wonder whether the UI prompt supports password change workflow. May be it does but needs to be explicitly enabled?
> There should be some logs on the OSX that would indicate what is going on when the server responds with the password change prompt.
> I would suggest starting troubleshooting efforts there.
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
> 
> 
> -------------------------------
> Looking to carve out IT costs?
> 
> www.redhat.com/carveoutcosts/
> 
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list