[Freeipa-users] About ipa passwd and kpasswd
Petr Vobornik
pvoborni at redhat.com
Fri Feb 19 09:40:13 UTC 2016
On 02/18/2016 04:46 PM, bahan w wrote:
> Hello everyone.
>
> I send you this mail because I have sometimes a problem when using ipa
> passwd to generate a One Time Password and then using kpasswd to set a
> strong random password using a password policy.
>
> When I perform the ipa passwd command and just after the kpasswd command, I
> got an error message.
>
> Here is the command (I have an admin TGT) :
> echo "onetimepwd\nonetimepwd\n" | ipa passwd <user>; echo
> "onetimepwd\n<definitivepassword>\n<definitivepassword>\n" | kpasswd <user>
>
> And here is the result :
> ###
> ----------------------------------------------
> Changed password for "<user>@<realm>"
> ----------------------------------------------
> Password for <user>@<realm>:
> kpasswd: Preauthentication failed getting initial ticket
> ###
>
> When I perform a sleep 5, then the sucession of these commands complete
> successfully.
> I tried to sleep 1s or 2s, but sometimes I got the error message, and
> sometimes not.
> So I extended the sleep duration to 5s.
>
> I was wondering if it was normal behaviour from ipa-server/client 3.0.0-47 ?
>
> If yes, do you know what the minimum duration in seconds that I have to
> wait after setting a one time password before setting a more definitive
> password (a password respecting the password policy) ?
>
> Best regards.
>
> Bahan
>
>
>
Following works for me:
ADMINPW=Secret123
TEMPPW=temppwd
FINALPW=Secret1234
TESTUSER=fbar
kdestroy -A
echo -e "${ADMINPW}" | kinit admin
klist
echo -e "${TEMPPW}\n${TEMPPW}\n" | ipa passwd $TESTUSER
echo -e "${TEMPPW}\n${FINALPW}\n${FINALPW}\n" | kpasswd $TESTUSER
klist
kdestroy -A
echo -e "${FINALPW}" | kinit $TESTUSER
klist
kdestroy -A
also works if kpasswd is changed to kinit.
You can also try to use KRB5_TRACE=/dev/stdout to debug it:
# KRB5_TRACE=/dev/stdout kpasswd user
--
Petr Vobornik
More information about the Freeipa-users
mailing list