[Freeipa-users] Mountain Lion GUI Login (Expired passwords / Mavericks too)
Jason Woods
devel at jasonwoods.me.uk
Thu Mar 13 14:08:29 UTC 2014
Hi all,
This has been raised previously, here: https://www.redhat.com/archives/freeipa-users/2013-August/msg00043.html
I'm experiencing the same issue and I will summarise.
Mac OS X (Mavericks in my case, but it was the same before I upgraded it from Mountain Lion.)
Using RHEL 6.5 and ipa packages 3.0.0-37.
Directory Utility is connected to IPA domain using the RFC2307 templates, slightly modified so that the Groups is based from cn=compat,dc=domain and Users from cn=accounts,dc=domain, and so NFSHomeDirectory and HomeDirectory are set to "#/Users/$uid$". Reason for compat for groups is so membership works correctly (it needs memberUid format) and reason for accounts on Users is so all main info is available and regular change password works. Homes are set as such to keep everything local as I don't want networked home folders.
Logons work great. Groups are all populated fully. Users can go to System Preferences -> Users & Groups -> Change password and change password successfully. Home directories are kept local. Running the createmobileaccount manually allows an account to successfully be marked as mobile so credential cache works, even if the home directories are local (it seems the GUI won't do it properly, maybe because they're already local.) So far, fantastic.
Now if I create a new user in IPA. It will require a password change on logon.
When I logon on the Mac with this new user. The password box wiggles and a box appears underneath it. "Reset your password". Saying I need to set a new password. So I enter a new password and I verify it. Then I click "Reset Password" and it wiggle... no matter how many times I try, it doesn't move on.
The log I get is somewhat smaller as I've not yet added kerberos to the pam.d/authorization (shouldn't be required for this since regular change password works.) And possibly because less logging enabled but I'm not sure what to modify and how.
12:50:47 SecurityAgent: User info context values set for testuser
12:50:48 authorizationhost: Failed to authenticate user <testuser> (error: 10).
Any thoughts on what the issue may be? Apple issue maybe or some incompatibility on the FreeIPA side? Are there any logs from anywhere on the IPA that might help? I can see no apparent issues in the slapd access log, it seems to return successful for various attributes and just stop and no change comes in for the password - it doesn't seem to even request the global_policy which it does when using regular Change password.
Regards,
Jason
More information about the Freeipa-users
mailing list