[Freeipa-users] freeipa authentication token manipulation error
Rakesh Rajasekharan
rakesh.rajasekharan at gmail.com
Tue Jan 13 07:18:18 UTC 2015
>>>Does it work for the same user from the client if you reset password on
the server, authenticate from the client and then force reset again on the
server?
When I force reset a user, he stil faces the same error "token
manipulation" when tries to login to a client. However, when he tries
getting into the server, he now gets prompted for the password change and
is successfully able to get through.
So, at this point we have a workaround though something seems not right at
the clients.
>>>Can you add a new client and see whether it works there?
>>Have you tried re-installing the client?
Yes, I did try reinstalling but that did not help
>>>Sorry, I meant the full krb5_child.log ...
This is how I get the logs in krb5_child.
when a user tries to authenticate with the random password that I generated,
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user hq-testuser.
Current Password:
New password:
Retype new password:
passwd: Authentication token manipulation erro
And on the krb5_child.log, these are the entries
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab:
[/etc/krb5.keytab]
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
qa-dummy-int.test.com at TEST.COM]
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [match_principal]
(0x1000): Principal matched to the sample (host/
qa-dummy-int.test.com at TEST.COM).
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [check_fast_ccache]
(0x0200): FAST TGT is still valid.
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [main] (0x0400):
Will perform password change
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [changepw_child]
(0x1000): Password change operation
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [changepw_child]
(0x0400): Attempting kinit for realm [TEST.COM]
This does not go beyond this. however, when i attempt another login , the
logs start moving from this point( the time stamp start from 6:54 AM)
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user hq-testuser.
Current Password:
New password:
Retype new password:
passwd: Authentication token manipulation erro
now the krb5_child.log adds following lines
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400):
krb5_child started.
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer]
(0x1000): total buffer size: [134]TEST
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer]
(0x0100): cmd [241] uid [710600001] gid [710600001] validate [true]
enterprise principal [false] offline [false] UPN [hq-testuser at TEST.COM]
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab:
[/etc/krb5.keytab]
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
qa-dummy-int.test.com at TEST.COM]
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [match_principal]
(0x1000): Principal matched to the sample (host/
qa-dummy-int.test.com at TEST.COM).
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [check_fast_ccache]
(0x0200): FAST TGT is still valid.
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400):
Will perform online auth
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [TEST.COM]
(Tue Jan 13 06:54:53 2015) [[sssd[krb5_child[23514]]]] [get_and_save_tgt]
(0x0020): 981: [-1765328361][Password has expired]
(Tue Jan 13 06:54:53 2015) [[sssd[krb5_child[23514]]]] [tgt_req_child]
(0x1000): Password was expired
(Tue Jan 13 06:54:56 2015) [[sssd[krb5_child[23514]]]] [k5c_send_data]
(0x0200): Received error code 1432158213
(Tue Jan 13 06:54:56 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400):
krb5_child completed successfully
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400):
krb5_child started.
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer]
(0x1000): total buffer size: [134]
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer]
(0x0100): cmd [247] uid [710600001] gid [710600001] validate [true]
enterprise principal [false] offline [false] UPN [hq-testuser at TEST.COM]
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab:
[/etc/krb5.keytab]
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
qa-dummy-int.test.com at TEST.COM]
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [match_principal]
(0x1000): Principal matched to the sample (host/
qa-dummy-int.test.com at TEST.COM).
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [check_fast_ccache]
(0x0200): FAST TGT is still valid.
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400):
Will perform password change checks
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [changepw_child]
(0x1000): Password change operation
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [changepw_child]
(0x0400): Attempting kinit for realm [TEST.COM]
(Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [changepw_child]
(0x1000): Initial authentication for change password operation successful.
(Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [k5c_send_data]
(0x0200): Received error code 0
(Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400):
krb5_child completed successfully
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [main] (0x0400):
krb5_child started.
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer]
(0x1000): total buffer size: [153]
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer]
(0x0100): cmd [246] uid [710600001] gid [710600001] validate [true]
enterprise principal [false] offline [false] UPN [hq-testuser at TEST.COM]
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab:
[/etc/krb5.keytab]
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
qa-dummy-int.test.com at TEST.COM]
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [match_principal]
(0x1000): Principal matched to the sample (host/
qa-dummy-int.test.com at TEST.COM).
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [check_fast_ccache]
(0x0200): FAST TGT is still valid.
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [main] (0x0400):
Will perform password change
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [changepw_child]
(0x1000): Password change operation
(Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [changepw_child]
(0x0400): Attempting kinit for realm [TEST.COM]
and again the last line is attempting kinit for realm
Thanks,
Rakesh
On Tue, Jan 13, 2015 at 1:05 AM, Dmitri Pal <dpal at redhat.com> wrote:
> On 01/12/2015 12:55 PM, Rakesh Rajasekharan wrote:
>
> This is the full log,
>
> Jan 12 17:45:15 10-5-68-5 sshd[29753]: pam_sss(sshd:account): User info
> message: Password expired. Change your password now.
> Jan 12 17:45:15 10-5-68-5 sshd[29753]: Accepted password for hq-testuser
> from 10.5.68.184 port 54048 ssh2
> Jan 12 17:45:16 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session
> opened for user hq-testuser by (uid=0)
> Jan 12 17:45:16 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user
> "hq-testuser" does not exist in /etc/passwd
> Jan 12 17:45:35 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user
> "hq-testuser" does not exist in /etc/passwd
> Jan 12 17:45:41 10-5-68-5 passwd: pam_sss(passwd:chauthtok): Password
> change failed for user hq-testuser: 22 (Authentication token lock busy)
> Jan 12 17:45:43 10-5-68-5 sshd[30329]: Received disconnect from
> 10.5.68.184: 11: disconnected by user
> Jan 12 17:45:43 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session
> closed for user hq-testuser
>
>
> >> Does it happen for all users or only users that you migrated?
> Yes it happens for all, I created a new user ( hq-testuser) is a fresh
> one that I created.
>
> I found a workaround for this , users are able to successfully change
> the password by connecting to the IPA master server.
> So, its only the ipa clients that have the issue.
>
>
> Does it work for the same user from the client if you reset password on
> the server, authenticate from the client and then force reset again on the
> server?
>
> Can you add a new client and see whether it works there?
> Have you tried re-installing the client?
>
>
>
> Thanks,
> Rakesh
>
> On Mon, Jan 12, 2015 at 10:57 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:
>
>> On Mon, Jan 12, 2015 at 04:01:32PM +0530, Rakesh Rajasekharan wrote:
>> > under /var/log/secure.. have this error
>> > passwd: pam_sss(passwd:chauthtok): Password change failed for user
>> > hq-testuser: 22 (Authentication token lock busy)
>>
>> It looks like the log was trucated, can you post more context?
>>
>> Authentication token lock busy usually means the kadmin servers were
>> offline..
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
>
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150113/83ee40a8/attachment.htm>
More information about the Freeipa-users
mailing list