[Freeipa-users] Error changing expired user password using SSH

Mon, 08 Nov 2010 12:07:44 -0800 

Hi,

I'm having problems with users accessing their accounts for the first
time using SSH. I create their account in FreeIPA and set a (expired)
password. Then I have them ssh into one of our computers to setup
their password. The connection displays the following:

djsc...@pc35:~$ ssh gu...@pc20
gu...@pc20's password:
Warning: Your password will expire in less than one hour.
Warning: password has expired.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user guser.
Kerberos 5 Password:
Warning: Your password will expire in less than one hour.
New password:
Retype new password:
passwd: Authentication token manipulation error
Connection to pc20 closed.

And the password change fails. Here is the relevant section from the
Kerberos logfile. There is no entry in the LDAP log in dirsrv.

Nov 08 14:48:21 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.1.20: CLIENT KEY EXPIRED:
gu...@example.com for krbtgt/example....@example.com, Password has
expired
Nov 08 14:48:21 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.1.20: NEEDED_PREAUTH:
gu...@example.com for kadmin/chang...@example.com, Additional
pre-authentication required
Nov 08 14:48:22 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.1.20: ISSUE: authtime 1289245702,
etypes {rep=18 tkt=18 ses=18}, gu...@example.com for
kadmin/chang...@example.com
Nov 08 14:48:23 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.1.20: NEEDED_PREAUTH:
gu...@example.com for kadmin/chang...@example.com, Additional
pre-authentication required
Nov 08 14:48:23 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.1.20: ISSUE: authtime 1289245703,
etypes {rep=18 tkt=18 ses=18}, gu...@example.com for
kadmin/chang...@example.com

This appears to work fine when using kinit to login for the first
time. Shouldn't it work using SSH too? This will be a problem for our
remote users, since they have to connect remotely, using SSH.

Thanks,

Dan Scott

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to