On 01/09/2012 02:16 PM, Erinn Looney-Triggs wrote: > For a users very first, (as in never logged in before and will have to > set new password), login attempt via GDM, the password change will fail > and the user will be unable to log in. > > Now if the user has already set a password the login works fine. I > haven't tested after the password expires but I suspect it will be the > same as above. > > The salient errors (I believe) in the logs are the following: > > Jan 9 18:33:34 host.name pam: gdm-password[5056]: > pam_unix(gdm-password:auth): authe > ntication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= > user=user_name > Jan 9 18:33:34 host.name pam: gdm-password[5056]: > pam_sss(gdm-password:auth): system > info: [Password has expired] > Jan 9 18:33:34 host.name pam: gdm-password[5056]: > pam_sss(gdm-password:auth): authen > tication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=user_name > Jan 9 18:33:34 host.name pam: gdm-password[5056]: > pam_sss(gdm-password:auth): receiv > ed for user user_name: 12 (Authentication token is no longer valid; new > one r > equired) > Jan 9 18:33:35 host.name pam: gdm-password[5056]: > pam_sss(gdm-password:account): Use > r info message: Password expired. Change your password now. > Jan 9 18:33:35 host.name pam: gdm-password[5056]: > pam_unix(gdm-password:chauthtok): user "user_name" does not exist in > /etc/passwd > Jan 9 18:33:51 host.name pam: gdm-password[5056]: > pam_unix(gdm-password:chauthtok): user "user_name" does not exist in > /etc/passwd > Jan 9 18:33:52 host.name pam: gdm-password[5056]: > pam_sss(gdm-password:chauthtok): system info: [Generic error (see e-text)] > Jan 9 18:33:52 host.name pam: gdm-password[5056]: > pam_sss(gdm-password:chauthtok): User info message: Password change > failed. Server message: Failed to decrypt password > Jan 9 18:33:52 host.name pam: gdm-password[5056]: > pam_sss(gdm-password:chauthtok): Password change failed for user > user_name: 20 (Authentication token manipulation error) > > The KDC logs, don't shed a huge amount of light: > Jan 09 18:33:34 ipa.server krb5kdc[2379](info): AS_REQ (4 etypes {18 17 16 > 23}) 74.93.225.129: CLIENT KEY EXPIRED: user_n...@realm.com for > krbtgt/realm....@realm.com, Password has expired > Jan 09 18:33:34 ipa.server krb5kdc[2377](info): AS_REQ (4 etypes {18 17 16 > 23}) 74.93.225.129: NEEDED_PREAUTH: user_n...@realm.com for kadmin/changepw@ > REALM.COM, Additional pre-authentication required > Jan 09 18:33:34 ipa.server krb5kdc[2375](info): AS_REQ (4 etypes {18 17 16 > 23}) 74.93.225.129: ISSUE: authtime 1326134014, etypes {rep=18 tkt=18 > ses=18}, user_n...@realm.com for kadmin/chang...@realm.com > Jan 09 18:33:39 ipa.server krb5kdc[2375](info): AS_REQ (4 etypes {18 17 16 > 23}) 74.93.225.129: NEEDED_PREAUTH: user_n...@realm.com for kadmin/changepw@ > REALM.COM, Additional pre-authentication required > Jan 09 18:33:39 ipa.server krb5kdc[2382](info): AS_REQ (4 etypes {18 17 16 > 23}) 74.93.225.129: ISSUE: authtime 1326134019, etypes {rep=18 tkt=18 > ses=18}, user_n...@realm.com for kadmin/chang...@realm.com > Jan 09 18:33:51 ipa.server krb5kdc[2382](info): AS_REQ (4 etypes {18 17 16 > 23}) 74.93.225.129: NEEDED_PREAUTH: user_n...@realm.com for kadmin/changepw@ > REALM.COM, Additional pre-authentication required > > After doing some testing while writing this message it appears that > kpasswd and even the sshd login fail as well in the same way. > > A copy of /etc/pam.d/system-auth for completeness: > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_fprintd.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 type= > minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 > password sufficient pam_unix.so sha512 shadow nullok > try_first_pass use_authtok remember=12 > password sufficient pam_sss.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_oddjob_mkhomedir.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_sss.so > session optional pam_motd.so motd=/etc/motd > > Let me know any thoughts on the matter, > > -Erinn > >
Did you create a user and added a password for him? ipa user-add ... ipa passwd ... Can you please provide the output of the: ipa user-show <user> --raw --all before and after you try? > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users