Re: [Freeipa-users] Password token manipulation errors after upgrade

Wed, 04 Jan 2012 15:48:49 -0800 

On 01/04/2012 06:32 PM, Ian Levesque wrote:
> Hello,
>
> I've upgraded a FreeIPA server to RHEL 6.2 (from 6.1), putting me at version 
> 2.1.3-9. Since the upgrade, I haven't been able to change any existing 
> passwords, all I get is an "Authentication token manipulation error". 
> Newly-created accounts don't have this problem. I /can/ login using my 
> existing password, but one user's password is expired and is effectively 
> locked out until I can figure this out. Any ideas?

First of all in place upgrade from tech preview 6.1 bits to 6.2 is not
supported by Red Hat as 6.2 is the first supported release.

This being said you might try to remove passwords.
Can you use some old account as a test, remove the kerberos password
attribute and then follow the migration procedure for it, i.e.
authenticate using special migration UI page or with SSSD in migration
mode? If that works then you might want to do it for all old users.


> Best,
> Ian
>
>
> -bash-4.1$ whoami
> ian
>
> -bash-4.1$ passwd
> Changing password for user ian.
> Current Password: 
> New password: 
> Retype new password: 
> Password change failed. Server message: Password change failed
> passwd: Authentication token manipulation error
>
>
> krb5kdc.log:
>
> krb5kdc[1558](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.10.54: 
> NEEDED_PREAUTH: i...@sbgrid.org for kadmin/chang...@sbgrid.org, Additional 
> pre-authentication required
> krb5kdc[1558](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.10.54: ISSUE: 
> authtime 1325719595, etypes {rep=18 tkt=18 ses=18}, i...@sbgrid.org for 
> kadmin/chang...@sbgrid.org
> krb5kdc[1558](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.10.54: 
> NEEDED_PREAUTH: kadmin/chang...@sbgrid.org for krbtgt/sbgrid....@sbgrid.org, 
> Additional pre-authentication required
> krb5kdc[1558](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.10.54: ISSUE: 
> authtime 1325719595, etypes {rep=18 tkt=18 ses=18}, 
> kadmin/chang...@sbgrid.org for krbtgt/sbgrid....@sbgrid.org
> krb5kdc[1558](info): TGS_REQ (4 etypes {18 17 16 23}) 10.0.10.54: ISSUE: 
> authtime 1325719595, etypes {rep=18 tkt=18 ses=18}, 
> kadmin/chang...@sbgrid.org for ldap/sbgrid-directory.in.hw...@sbgrid.org
>
> messages:
>
> passwd: pam_sss(passwd:chauthtok): system info: [Generic error (see e-text)]
> passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. 
> Server message: Password change failed
> passwd: pam_sss(passwd:chauthtok): Password change failed for user ian: 20 
> (Authentication token manipulation error)
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to