Andy Singleton wrote:
Hello,

I am trying to install a rhel6 machine with the ipa-1.2.2 client.

Everything appears to work fine, with the exception of updating users
passwords from the client.

 From the user perspective, I get this:

/Changing password for user andytest./

/Kerberos 5 Password: /

/New password: /

/Retype new password: /

/passwd: Authentication token manipulation error/

 From the local secure log, I see this:

/Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
"andytest" does not exist in /etc/passwd/

/Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
"andytest" does not exist in /etc/passwd/

/Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change
failed for andyt...@live.tipp24.net: Cannot contact any KDC for
requested realm/

There are no local or network firewalls between the client and the IPA
server, and every other piece of IPA functionality appears to work fine.

On the IPA server itself, I see this in krb5kdc:

Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth
type found: Success

Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andyt...@live.tipp24.net for
kadmin/chang...@live.tipp24.net, Preauthentication failed

Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andyt...@live.tipp24.net for
kadmin/chang...@live.tipp24.net, Additional pre-authentication required

Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18
tkt=18 ses=18}, andyt...@live.tipp24.net for
kadmin/chang...@live.tipp24.net <mailto:kadmin/chang...@live.tipp24.net>

nsswitch.conf has the usual stuff:

/passwd: files ldap/

/shadow: files ldap/

/group: files ldap/

I’m not sure what else to check.

Andy

Is ipa_kpasswd running on the IPA server?

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to