[Freeipa-users] freeipa authentication token manipulation error

Dmitri Pal dpal at redhat.com
Mon Jan 12 19:35:24 UTC 2015 

On 01/12/2015 12:55 PM, Rakesh Rajasekharan wrote:
> This is the full log,
>
> Jan 12 17:45:15 10-5-68-5 sshd[29753]: pam_sss(sshd:account): User 
> info message: Password expired. Change your password now.
> Jan 12 17:45:15 10-5-68-5 sshd[29753]: Accepted password for 
> hq-testuser from 10.5.68.184 port 54048 ssh2
> Jan 12 17:45:16 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session 
> opened for user hq-testuser by (uid=0)
> Jan 12 17:45:16 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user 
> "hq-testuser" does not exist in /etc/passwd
> Jan 12 17:45:35 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user 
> "hq-testuser" does not exist in /etc/passwd
> Jan 12 17:45:41 10-5-68-5 passwd: pam_sss(passwd:chauthtok): Password 
> change failed for user hq-testuser: 22 (Authentication token lock busy)
> Jan 12 17:45:43 10-5-68-5 sshd[30329]: Received disconnect from 
> 10.5.68.184 <http://10.5.68.184>: 11: disconnected by user
> Jan 12 17:45:43 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session 
> closed for user hq-testuser
>
>
> >> Does it happen for all users or only users that you migrated?
> Yes it happens for all, I created a new user ( hq-testuser) is  a 
> fresh one that I created.
>
> I found a workaround for this , users are able to successfully change 
> the password by connecting to the IPA master server.
> So, its only  the ipa clients that have the issue.

Does it work for the same user from the client  if you reset password on 
the server, authenticate from the client and then force reset again on 
the server?

Can you add a new client and see whether it works there?
Have you tried re-installing the client?

>
>
> Thanks,
> Rakesh
>
> On Mon, Jan 12, 2015 at 10:57 PM, Jakub Hrozek <jhrozek at redhat.com 
> <mailto:jhrozek at redhat.com>> wrote:
>
>     On Mon, Jan 12, 2015 at 04:01:32PM +0530, Rakesh Rajasekharan wrote:
>     > under /var/log/secure.. have this error
>     > passwd: pam_sss(passwd:chauthtok): Password change failed for user
>     > hq-testuser: 22 (Authentication token lock busy)
>
>     It looks like the log was trucated, can you post more context?
>
>     Authentication token lock busy usually means the kadmin servers were
>     offline..
>
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go To http://freeipa.org for more info on the project
>
>
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150112/e41e4539/attachment.htm>

More information about the Freeipa-users mailing list