[Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone
Rob Crittenden
rcritten at redhat.com
Mon Mar 11 13:38:26 UTC 2013
Tim Hildred wrote:
> It definately wasn't a policy problem. I couldn't even use ipa passwd as admin from the command line, there was a connection error. The upgrade meant my IPA server was straight borked. The solution? Revert to a previous snapshot, and continue using the old, working IPA (2.0.0-23.el6_1.2).
>
> And I learned a valuable lesson: if it ain't broke, don't upgrade.
Sorry that you had problems with the upgrade. We'd be happy to work with
you to try to figure out where things went sideways. Others would likely
benefit from this work too.
rob
>
> Tim Hildred, RHCE
> Content Author II - Engineering Content Services, Red Hat, Inc.
> Brisbane, Australia
> Email: thildred at redhat.com
> Internal: 8588287
> Mobile: +61 4 666 25242
> IRC: thildred
>
> ----- Original Message -----
>> From: "Dmitri Pal" <dpal at redhat.com>
>> To: freeipa-users at redhat.com
>> Sent: Saturday, March 9, 2013 5:19:51 AM
>> Subject: Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone
>>
>>
>> On 03/07/2013 11:47 PM, Tim Hildred wrote:
>>
>> Hello,
>>
>> I have been using IPA for authentication with a RHEV environment.
>>
>> Quite a while ago, I got help from this list in making it so that my
>> users could access the WebUI with their login and passwords, no
>> Kerberos ticket required. I also had it working that when their
>> passwords expired, they would ssh to the IPA server as themselves,
>> get challenged for their current password, and then the opportunity
>> to provide a new one.
>>
>> The update to ipa-server 3.0.0-25.el6 means that I can no longer log
>> into the WebUI with just a login and password (see attached
>> screenshot) and that users who try and update expired passwords get:
>>
>> You must change your password now and login again!
>> Changing password for user juwu.
>> Current Password:
>> New password:
>> Retype new password:
>> Password change failed. Server message: Password not changed.
>> It seems that password might have not matched the server policy.
>> Have you tried different users and different passwords?
>>
>> What does kerberos log on the server show? It will give you some hint
>> about the reason why the password was rejected.
>> It might be that the password you are trying to use already in the
>> history of passwords. AFAIR there was a bug that we did not handle
>> history of passwords properly in some cases. Now as it is fixed you
>> might see a proper policy enforcement.
>>
>>
>>
>> Insufficient access to perform requested operation while trying to
>> change password.
>> passwd: Authentication token manipulation error
>> Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
>>
>> Can anyone help me restore that functionality? Please?
>>
>> Tim Hildred, RHCE
>> Content Author II - Engineering Content Services, Red Hat, Inc.
>> Brisbane, Australia
>> Email: thildred at redhat.com Internal: 8588287
>> Mobile: +61 4 666 25242
>> IRC: thildred
>>
>> _______________________________________________
>> Freeipa-users mailing list Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list