[Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone

Sumit Bose sbose at redhat.com
Mon Mar 11 10:12:25 UTC 2013 

On Mon, Mar 11, 2013 at 01:21:26AM -0400, Tim Hildred wrote:
> It definately wasn't a policy problem. I couldn't even use ipa passwd as admin from the command line, there was a connection error. The upgrade meant my IPA server was straight borked. The solution? Revert to a previous snapshot, and continue using the old, working IPA (2.0.0-23.el6_1.2). 

Maybe instead of trying to upgrade directly from 2.0 to 3.0 a step in
between like 2.0->2.1->3.0 would be better? To be on the safe side you
might want to include 2.2 as well in the upgrade path.

HTH

bye,
Sumit

> 
> And I learned a valuable lesson: if it ain't broke, don't upgrade. 
> 
> Tim Hildred, RHCE
> Content Author II - Engineering Content Services, Red Hat, Inc.
> Brisbane, Australia
> Email: thildred at redhat.com
> Internal: 8588287
> Mobile: +61 4 666 25242
> IRC: thildred
> 
> ----- Original Message -----
> > From: "Dmitri Pal" <dpal at redhat.com>
> > To: freeipa-users at redhat.com
> > Sent: Saturday, March 9, 2013 5:19:51 AM
> > Subject: Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone
> > 
> > 
> > On 03/07/2013 11:47 PM, Tim Hildred wrote:
> > 
> > Hello,
> > 
> > I have been using IPA for authentication with a RHEV environment.
> > 
> > Quite a while ago, I got help from this list in making it so that my
> > users could access the WebUI with their login and passwords, no
> > Kerberos ticket required. I also had it working that when their
> > passwords expired, they would ssh to the IPA server as themselves,
> > get challenged for their current password, and then the opportunity
> > to provide a new one.
> > 
> > The update to ipa-server 3.0.0-25.el6 means that I can no longer log
> > into the WebUI with just a login and password (see attached
> > screenshot) and that users who try and update expired passwords get:
> > 
> >  You must change your password now and login again!
> >  Changing password for user juwu.
> >  Current Password:
> >  New password:
> >  Retype new password:
> >  Password change failed. Server message: Password not changed.
> > It seems that password might have not matched the server policy.
> > Have you tried different users and different passwords?
> > 
> > What does kerberos log on the server show? It will give you some hint
> > about the reason why the password was rejected.
> > It might be that the password you are trying to use already in the
> > history of passwords. AFAIR there was a bug that we did not handle
> > history of passwords properly in some cases. Now as it is fixed you
> > might see a proper policy enforcement.
> > 
> > 
> > 
> > Insufficient access to perform requested operation while trying to
> > change password.
> >  passwd: Authentication token manipulation error
> >  Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
> > 
> > Can anyone help me restore that functionality? Please?
> > 
> > Tim Hildred, RHCE
> > Content Author II - Engineering Content Services, Red Hat, Inc.
> > Brisbane, Australia
> > Email: thildred at redhat.com Internal: 8588287
> > Mobile: +61 4 666 25242
> > IRC: thildred
> > 
> > _______________________________________________
> > Freeipa-users mailing list Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > 
> > --
> > Thank you,
> > Dmitri Pal
> > 
> > Sr. Engineering Manager for IdM portfolio
> > Red Hat Inc.
> > 
> > 
> > -------------------------------
> > Looking to carve out IT costs? www.redhat.com/carveoutcosts/
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list