[Freeipa-users] User's Cannot Reset Expire Passwords Without Password Being Reset First in WebUI

Thu Jan 3 00:07:21 UTC 2013

On 01/02/2013 05:47 PM, Chris Natter wrote:
> Hello,
>
> My users are running into a bit of a problem with password expiry and
> the reset prompts.
>
> When they attempt to reset their password they end up recieving access
> denied messages after going through the prompts to reset their password
> and entering their new desired passwords.
>
> The interesting thing is that if I reset the password via the Web UI to anything,
> and then have the user try again with the new password, they are able to 
> successfully reset their password with no issues.
>
> Log snippets are below, I've sanitized them so the user in question is 'juser'.
>
> Any help or guidance would be very appreciated. Thank you!
>
> sshd[26945]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.20.1.108  user=juser
> sshd[26945]: pam_sss(sshd:auth): system info: [Password has expired]
> sshd[26945]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.20.1.108 user=juser
> sshd[26945]: pam_sss(sshd:auth): received for user juser: 12 (Authentication token is no longer valid; new one required)
> sshd[26945]: pam_sss(sshd:account): User info message: Password expired. Change your password now.
> sshd[26945]: pam_unix(sshd:chauthtok): user "juser" does not exist in /etc/passwd
> sshd[26945]: pam_unix(sshd:chauthtok): user "juser" does not exist in /etc/passwd
> sshd[26945]: pam_sss(sshd:chauthtok): system info: [Generic error (see e-text)]
> sshd[26945]: pam_sss(sshd:chauthtok): User info message: Password change failed. Server message: Password change rejected
> sshd[26945]: pam_sss(sshd:chauthtok): Password change failed for user juser: 20 (Authentication token manipulation error)
> sshd[26977]: pam_unix(sshd:auth): conversation failed
> sshd[26977]: pam_unix(sshd:auth): auth could not identify password for [juser]
> sshd[26977]: pam_sss(sshd:auth): system info: [Cannot read password]
> sshd[26977]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.22.1.108 user=juser
> sshd[26977]: pam_sss(sshd:auth): received for user juser: 4 (System error)
> sshd[26977]: error: ssh_msg_send: write
>
> [[sssd[krb5_child[26452]]]] [validate_tgt] (5): TGT verified using key for [host/devbox3.lnx.foo.local at LNX.FOO.LOCAL].
> [[sssd[krb5_child[26949]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
> [[sssd[krb5_child[26949]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_LIFETIME] from environment.
> [[sssd[krb5_child[26949]]]] [sss_krb5_get_init_creds_opt_set_expire_callback] (5): krb5_get_init_creds_opt_set_expire_callback not available.
> [[sssd[krb5_child[26949]]]] [get_and_save_tgt] (1): 721: [-1765328361][Password has expired]
> [[sssd[krb5_child[26949]]]] [sss_krb5_get_init_creds_opt_set_expire_callback] (5): krb5_get_init_creds_opt_set_expire_callback not available.
> [[sssd[krb5_child[26949]]]] [tgt_req_child] (1): 980: [-1765328361][Password has expired]
> [[sssd[krb5_child[26958]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
> [[sssd[krb5_child[26958]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_LIFETIME] from environment.
> [[sssd[krb5_child[26976]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
> [[sssd[krb5_child[26976]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_LIFETIME] from environment.
> [[sssd[krb5_child[26976]]]] [changepw_child] (1): krb5_change_password failed [4][Password change rejected].
>
> krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: CLIENT KEY EXPIRED: juser at LNX.FOO.LOCAL for krbtgt/LNX.FOO.LOCAL at LNX.FOO.LOCAL, Password has expired
> krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: NEEDED_PREAUTH: juser at LNX.FOO.LOCAL for kadmin/changepw at LNX.FOO.LOCAL, Additional pre-authentication required
> krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: ISSUE: authtime 1357163914, etypes {rep=18 tkt=18 ses=18}, juser at LNX.FOO.LOCAL for kadmin/changepw at LNX.FOO.LOCAL
> krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: NEEDED_PREAUTH: juser at LNX.FOO.LOCAL for kadmin/changepw at LNX.FOO.LOCAL, Additional pre-authentication required
> krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: ISSUE: authtime 1357163921, etypes {rep=18 tkt=18 ses=18}, juser at LNX.FOO.LOCAL for kadmin/changepw at LNX.FOO.LOCAL
> krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: NEEDED_PREAUTH: juser at LNX.FOO.LOCAL for kadmin/changepw at LNX.FOO.LOCAL, Additional pre-authentication required
> krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: ISSUE: authtime 1357163949, etypes {rep=18 tkt=18 ses=18}, juser at LNX.FOO.LOCAL for kadmin/changepw at LNX.FOO.LOCAL
> krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: CLIENT KEY EXPIRED: juser at LNX.FOO.LOCAL for krbtgt/LNX.FOO.LOCAL at LNX.FOO.LOCAL, Password has expired
> krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: NEEDED_PREAUTH: juser at LNX.FOO.LOCAL for kadmin/changepw at LNX.FOO.LOCAL, Additional pre-authentication required

What version are we talking about?
Look at the KDC side logs they might shed some light.
Do you have any special password policies configured (length,
complexity, did it change) ?
Does it happen for all users of just a subset?

>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/