[Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone
Tim Hildred
thildred at redhat.com
Mon Mar 11 05:21:26 UTC 2013
It definately wasn't a policy problem. I couldn't even use ipa passwd as admin from the command line, there was a connection error. The upgrade meant my IPA server was straight borked. The solution? Revert to a previous snapshot, and continue using the old, working IPA (2.0.0-23.el6_1.2).
And I learned a valuable lesson: if it ain't broke, don't upgrade.
Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thildred at redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred
----- Original Message -----
> From: "Dmitri Pal" <dpal at redhat.com>
> To: freeipa-users at redhat.com
> Sent: Saturday, March 9, 2013 5:19:51 AM
> Subject: Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone
>
>
> On 03/07/2013 11:47 PM, Tim Hildred wrote:
>
> Hello,
>
> I have been using IPA for authentication with a RHEV environment.
>
> Quite a while ago, I got help from this list in making it so that my
> users could access the WebUI with their login and passwords, no
> Kerberos ticket required. I also had it working that when their
> passwords expired, they would ssh to the IPA server as themselves,
> get challenged for their current password, and then the opportunity
> to provide a new one.
>
> The update to ipa-server 3.0.0-25.el6 means that I can no longer log
> into the WebUI with just a login and password (see attached
> screenshot) and that users who try and update expired passwords get:
>
> You must change your password now and login again!
> Changing password for user juwu.
> Current Password:
> New password:
> Retype new password:
> Password change failed. Server message: Password not changed.
> It seems that password might have not matched the server policy.
> Have you tried different users and different passwords?
>
> What does kerberos log on the server show? It will give you some hint
> about the reason why the password was rejected.
> It might be that the password you are trying to use already in the
> history of passwords. AFAIR there was a bug that we did not handle
> history of passwords properly in some cases. Now as it is fixed you
> might see a proper policy enforcement.
>
>
>
> Insufficient access to perform requested operation while trying to
> change password.
> passwd: Authentication token manipulation error
> Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
>
> Can anyone help me restore that functionality? Please?
>
> Tim Hildred, RHCE
> Content Author II - Engineering Content Services, Red Hat, Inc.
> Brisbane, Australia
> Email: thildred at redhat.com Internal: 8588287
> Mobile: +61 4 666 25242
> IRC: thildred
>
> _______________________________________________
> Freeipa-users mailing list Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list