[Freeipa-users] freeipa authentication token manipulation error
Sumit Bose
sbose at redhat.com
Tue Jan 13 08:22:35 UTC 2015
On Tue, Jan 13, 2015 at 12:48:18PM +0530, Rakesh Rajasekharan wrote:
> >>>Does it work for the same user from the client if you reset password on
> the server, authenticate from the client and then force reset again on the
> server?
> When I force reset a user, he stil faces the same error "token
> manipulation" when tries to login to a client. However, when he tries
> getting into the server, he now gets prompted for the password change and
> is successfully able to get through.
>
> So, at this point we have a workaround though something seems not right at
> the clients.
> >>>Can you add a new client and see whether it works there?
>
> >>Have you tried re-installing the client?
> Yes, I did try reinstalling but that did not help
>
>
> >>>Sorry, I meant the full krb5_child.log ...
>
> This is how I get the logs in krb5_child.
>
> when a user tries to authenticate with the random password that I generated,
>
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user hq-testuser.
> Current Password:
> New password:
> Retype new password:
> passwd: Authentication token manipulation erro
>
> And on the krb5_child.log, these are the entries
>
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [unpack_buffer]
> (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab:
> [/etc/krb5.keytab]
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]]
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
> qa-dummy-int.test.com at TEST.COM]
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [match_principal]
> (0x1000): Principal matched to the sample (host/
> qa-dummy-int.test.com at TEST.COM).
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [check_fast_ccache]
> (0x0200): FAST TGT is still valid.
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [main] (0x0400):
> Will perform password change
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [changepw_child]
> (0x1000): Password change operation
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [changepw_child]
> (0x0400): Attempting kinit for realm [TEST.COM]
>
>
> This does not go beyond this. however, when i attempt another login , the
> logs start moving from this point( the time stamp start from 6:54 AM)
>
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user hq-testuser.
> Current Password:
> New password:
> Retype new password:
> passwd: Authentication token manipulation erro
>
> now the krb5_child.log adds following lines
>
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400):
> krb5_child started.
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer]
> (0x1000): total buffer size: [134]TEST
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer]
> (0x0100): cmd [241] uid [710600001] gid [710600001] validate [true]
> enterprise principal [false] offline [false] UPN [hq-testuser at TEST.COM]
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer]
> (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab:
> [/etc/krb5.keytab]
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]]
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
> qa-dummy-int.test.com at TEST.COM]
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [match_principal]
> (0x1000): Principal matched to the sample (host/
> qa-dummy-int.test.com at TEST.COM).
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [check_fast_ccache]
> (0x0200): FAST TGT is still valid.
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400):
> Will perform online auth
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [tgt_req_child]
> (0x1000): Attempting to get a TGT
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [TEST.COM]
> (Tue Jan 13 06:54:53 2015) [[sssd[krb5_child[23514]]]] [get_and_save_tgt]
> (0x0020): 981: [-1765328361][Password has expired]
> (Tue Jan 13 06:54:53 2015) [[sssd[krb5_child[23514]]]] [tgt_req_child]
> (0x1000): Password was expired
> (Tue Jan 13 06:54:56 2015) [[sssd[krb5_child[23514]]]] [k5c_send_data]
> (0x0200): Received error code 1432158213
> (Tue Jan 13 06:54:56 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400):
> krb5_child completed successfully
> (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400):
> krb5_child started.
> (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer]
> (0x1000): total buffer size: [134]
> (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer]
> (0x0100): cmd [247] uid [710600001] gid [710600001] validate [true]
> enterprise principal [false] offline [false] UPN [hq-testuser at TEST.COM]
> (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer]
> (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab:
> [/etc/krb5.keytab]
> (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]]
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
> qa-dummy-int.test.com at TEST.COM]
> (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [match_principal]
> (0x1000): Principal matched to the sample (host/
> qa-dummy-int.test.com at TEST.COM).
> (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [check_fast_ccache]
> (0x0200): FAST TGT is still valid.
> (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400):
> Will perform password change checks
> (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [changepw_child]
> (0x1000): Password change operation
> (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [changepw_child]
> (0x0400): Attempting kinit for realm [TEST.COM]
> (Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [changepw_child]
> (0x1000): Initial authentication for change password operation successful.
> (Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [k5c_send_data]
> (0x0200): Received error code 0
> (Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400):
> krb5_child completed successfully
> (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [main] (0x0400):
> krb5_child started.
> (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer]
> (0x1000): total buffer size: [153]
> (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer]
> (0x0100): cmd [246] uid [710600001] gid [710600001] validate [true]
> enterprise principal [false] offline [false] UPN [hq-testuser at TEST.COM]
> (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer]
> (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab:
> [/etc/krb5.keytab]
> (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]]
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
> qa-dummy-int.test.com at TEST.COM]
> (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [match_principal]
> (0x1000): Principal matched to the sample (host/
> qa-dummy-int.test.com at TEST.COM).
> (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [check_fast_ccache]
> (0x0200): FAST TGT is still valid.
> (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [main] (0x0400):
> Will perform password change
> (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [changepw_child]
> (0x1000): Password change operation
> (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [changepw_child]
> (0x0400): Attempting kinit for realm [TEST.COM]
>
> and again the last line is attempting kinit for realm
according to some earlier log entries your Kerberos server needs some
time to respond. Maybe you are hit by the authentication timeout SSSD
uses to not wait indefinitely long for a response. The default is 6s.
You can increase it by setting krb5_auth_timeout option in the
[domain/...] section in sssd.conf to a higher value. See man sssd-krb5
for more details.
HTH
bye,
Sumit
>
> Thanks,
> Rakesh
>
>
> On Tue, Jan 13, 2015 at 1:05 AM, Dmitri Pal <dpal at redhat.com> wrote:
>
> > On 01/12/2015 12:55 PM, Rakesh Rajasekharan wrote:
> >
> > This is the full log,
> >
> > Jan 12 17:45:15 10-5-68-5 sshd[29753]: pam_sss(sshd:account): User info
> > message: Password expired. Change your password now.
> > Jan 12 17:45:15 10-5-68-5 sshd[29753]: Accepted password for hq-testuser
> > from 10.5.68.184 port 54048 ssh2
> > Jan 12 17:45:16 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session
> > opened for user hq-testuser by (uid=0)
> > Jan 12 17:45:16 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user
> > "hq-testuser" does not exist in /etc/passwd
> > Jan 12 17:45:35 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user
> > "hq-testuser" does not exist in /etc/passwd
> > Jan 12 17:45:41 10-5-68-5 passwd: pam_sss(passwd:chauthtok): Password
> > change failed for user hq-testuser: 22 (Authentication token lock busy)
> > Jan 12 17:45:43 10-5-68-5 sshd[30329]: Received disconnect from
> > 10.5.68.184: 11: disconnected by user
> > Jan 12 17:45:43 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session
> > closed for user hq-testuser
> >
> >
> > >> Does it happen for all users or only users that you migrated?
> > Yes it happens for all, I created a new user ( hq-testuser) is a fresh
> > one that I created.
> >
> > I found a workaround for this , users are able to successfully change
> > the password by connecting to the IPA master server.
> > So, its only the ipa clients that have the issue.
> >
> >
> > Does it work for the same user from the client if you reset password on
> > the server, authenticate from the client and then force reset again on the
> > server?
> >
> > Can you add a new client and see whether it works there?
> > Have you tried re-installing the client?
> >
> >
> >
> > Thanks,
> > Rakesh
> >
> > On Mon, Jan 12, 2015 at 10:57 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:
> >
> >> On Mon, Jan 12, 2015 at 04:01:32PM +0530, Rakesh Rajasekharan wrote:
> >> > under /var/log/secure.. have this error
> >> > passwd: pam_sss(passwd:chauthtok): Password change failed for user
> >> > hq-testuser: 22 (Authentication token lock busy)
> >>
> >> It looks like the log was trucated, can you post more context?
> >>
> >> Authentication token lock busy usually means the kadmin servers were
> >> offline..
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go To http://freeipa.org for more info on the project
> >>
> >
> >
> >
> >
> >
> > --
> > Thank you,
> > Dmitri Pal
> >
> > Sr. Engineering Manager IdM portfolio
> > Red Hat, Inc.
> >
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
> >
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list