[Freeipa-users] Admin Users cannot change own passwords

Wed, 04 Jun 2025 08:55:50 -0700 

The subject line here is slightly vague/misleading, I wasn't sure how to say 
this in 20 words or less.  I have a cluster where we have 6 "admin" users who 
are the only humans logging into the freeipa webui.  When these users' 
passwords expire or are manually reset, they are unable to change the 
passwords, receiving the error "The password or username you entered is 
incorrect" on the password reset page during login. 

These users have OTP tokens, and are set to "Password & OTP" for the login 
method. We have tested with OTP Tokens disabled, and adding just "Password" to 
the login methods. 

If we reset the password, and then manually set "krbPasswordExpiration" to 
sometime in the future using ipa user-mod, users can login, and then change 
their passwords from within the UI itself, it appears to only be the change 
password on login flow that is causing problems.

FreeIPA version: 4.12.2-14.el9.noarch


Snippet of httpd error log: 

[Wed Jun 04 10:48:37.846536 2025] [wsgi:error] [pid 2246312:tid 2246543] 
[remote some_ip_address_here:60648]
[Wed Jun 04 10:49:08.336028 2025] [wsgi:error] [pid 2246314:tid 2246540] 
[remote some_ip_address_here:60651] ipa: INFO: WSGI change_password.__call__:
[Wed Jun 04 10:49:08.336201 2025] [wsgi:error] [pid 2246314:tid 2246540] 
[remote some_ip_address_here:60651] ipa: INFO: WSGI change_password: start 
password change of user 'admin-username'
[Wed Jun 04 10:49:08.434192 2025] [wsgi:error] [pid 2246314:tid 2246540] 
[remote some_ip_address_here:60651] ipa: INFO: 200 Success: The old password or 
username is not correct.
[Wed Jun 04 11:35:55.156892 2025] [wsgi:error] [pid 2246313:tid 2246537] 
[remote some_ip_address_here:61518] ipa: INFO: 401 Unauthorized: kinit: Cannot 
read password while getting initial credentials
[Wed Jun 04 11:35:55.156946 2025] [wsgi:error] [pid 2246313:tid 2246537] 
[remote some_ip_address_here:61518]
[Wed Jun 04 11:36:26.803929 2025] [wsgi:error] [pid 2246311:tid 2246534] 
[remote some_ip_address_here:61553] ipa: INFO: WSGI change_password.__call__:
[Wed Jun 04 11:36:26.804148 2025] [wsgi:error] [pid 2246311:tid 2246534] 
[remote some_ip_address_here:61553] ipa: INFO: WSGI change_password: start 
password change of user 'admin-username'
[Wed Jun 04 11:36:26.902851 2025] [wsgi:error] [pid 2246311:tid 2246534] 
[remote some_ip_address_here:61553] ipa: INFO: 200 Success: The old password or 
username is not correct.
[Wed Jun 04 11:37:17.224162 2025] [wsgi:error] [pid 2246314:tid 2246540] 
[remote some_ip_address_here:61690] ipa: INFO: WSGI change_password.__call__:
[Wed Jun 04 11:37:17.224380 2025] [wsgi:error] [pid 2246314:tid 2246540] 
[remote some_ip_address_here:61690] ipa: INFO: WSGI change_password: start 
password change of user 'admin-username'
[Wed Jun 04 11:37:17.326511 2025] [wsgi:error] [pid 2246314:tid 2246540] 
[remote some_ip_address_here:61690] ipa: INFO: 200 Success: The old password or 
username is not correct.
[Wed Jun 04 11:39:04.879577 2025] [wsgi:error] [pid 2246311:tid 2246534] 
[remote some_ip_address_here:62300] ipa: INFO: 401 Unauthorized: kinit: Cannot 
read password while getting initial credentials
[Wed Jun 04 11:39:04.879628 2025] [wsgi:error] [pid 2246311:tid 2246534] 
[remote some_ip_address_here:62300]
[Wed Jun 04 11:39:22.247446 2025] [wsgi:error] [pid 2246314:tid 2246540] 
[remote some_ip_address_here:62300] ipa: INFO: WSGI change_password.__call__:
[Wed Jun 04 11:39:22.247637 2025] [wsgi:error] [pid 2246314:tid 2246540] 
[remote some_ip_address_here:62300] ipa: INFO: WSGI change_password: start 
password change of user 'admin-username'
[Wed Jun 04 11:39:22.341247 2025] [wsgi:error] [pid 2246314:tid 2246540] 
[remote some_ip_address_here:62300] ipa: INFO: 200 Success: The old password or 
username is not correct.


krb5kdc log snippet: 
Jun 04 11:39:04 ipa-primary.ipa.domain.com krb5kdc[1301542](info): AS_REQ (4 
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.15.201.129: 
CLIENT KEY EXPIRED: admin-usern...@ipa.domain.com for 
krbtgt/ipa.domain....@ipa.domain.com, Password has expired
Jun 04 11:39:04 ipa-primary.ipa.domain.com krb5kdc[1301542](info): AS_REQ (4 
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.15.201.129: 
NEEDED_PREAUTH: admin-usern...@ipa.domain.com for 
kadmin/chang...@ipa.domain.com, Additional pre-authentication required
Jun 04 11:39:04 ipa-primary.ipa.domain.com krb5kdc[1301542](info): AS_REQ (4 
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.15.201.129: 
ISSUE: authtime 1749051544, etypes {rep=aes256-cts-hmac-sha384-192(20), 
tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha384-192(20)}, 
admin-usern...@ipa.domain.com for kadmin/chang...@ipa.domain.com

I can provide other redacted logs if needed.
-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to