On 01/09/2012 11:33 AM, Dmitri Pal wrote:
> On 01/09/2012 02:16 PM, Erinn Looney-Triggs wrote:
>> For a users very first, (as in never logged in before and will have to
>> set new password), login attempt via GDM, the password change will fail
>> and the user will be unable to log in.
>>
>> Now if the user has already set a password the login works fine. I
>> haven't tested after the password expires but I suspect it will be the
>> same as above.
>>
>> The salient errors (I believe) in the logs are the following:
>>
>> Jan  9 18:33:34 host.name pam: gdm-password[5056]:
>> pam_unix(gdm-password:auth): authe
>> ntication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
>> user=user_name
>> Jan  9 18:33:34 host.name pam: gdm-password[5056]:
>> pam_sss(gdm-password:auth): system
>>  info: [Password has expired]
>> Jan  9 18:33:34 host.name pam: gdm-password[5056]:
>> pam_sss(gdm-password:auth): authen
>> tication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=user_name
>> Jan  9 18:33:34 host.name pam: gdm-password[5056]:
>> pam_sss(gdm-password:auth): receiv
>> ed for user user_name: 12 (Authentication token is no longer valid; new
>> one r
>> equired)
>> Jan  9 18:33:35 host.name pam: gdm-password[5056]:
>> pam_sss(gdm-password:account): Use
>> r info message: Password expired. Change your password now.
>> Jan  9 18:33:35 host.name pam: gdm-password[5056]:
>> pam_unix(gdm-password:chauthtok): user "user_name" does not exist in
>> /etc/passwd
>> Jan  9 18:33:51 host.name pam: gdm-password[5056]:
>> pam_unix(gdm-password:chauthtok): user "user_name" does not exist in
>> /etc/passwd
>> Jan  9 18:33:52 host.name pam: gdm-password[5056]:
>> pam_sss(gdm-password:chauthtok): system info: [Generic error (see e-text)]
>> Jan  9 18:33:52 host.name pam: gdm-password[5056]:
>> pam_sss(gdm-password:chauthtok): User info message: Password change
>> failed. Server message: Failed to decrypt password
>> Jan  9 18:33:52 host.name pam: gdm-password[5056]:
>> pam_sss(gdm-password:chauthtok): Password change failed for user
>> user_name: 20 (Authentication token manipulation error)
>>
>> The KDC logs, don't shed a huge amount of light:
>> Jan 09 18:33:34 ipa.server krb5kdc[2379](info): AS_REQ (4 etypes {18 17 16
>> 23}) 74.93.225.129: CLIENT KEY EXPIRED: user_n...@realm.com 
>> <mailto:user_n...@realm.com> for
>> krbtgt/realm....@realm.com <mailto:krbtgt/realm....@realm.com>, Password has 
>> expired
>> Jan 09 18:33:34 ipa.server krb5kdc[2377](info): AS_REQ (4 etypes {18 17 16
>> 23}) 74.93.225.129: NEEDED_PREAUTH: user_n...@realm.com 
>> <mailto:user_n...@realm.com> for kadmin/changepw@
>> REALM.COM, Additional pre-authentication required
>> Jan 09 18:33:34 ipa.server krb5kdc[2375](info): AS_REQ (4 etypes {18 17 16
>> 23}) 74.93.225.129: ISSUE: authtime 1326134014, etypes {rep=18 tkt=18
>> ses=18}, user_n...@realm.com <mailto:user_n...@realm.com> for 
>> kadmin/chang...@realm.com <mailto:kadmin/chang...@realm.com>
>> Jan 09 18:33:39 ipa.server krb5kdc[2375](info): AS_REQ (4 etypes {18 17 16
>> 23}) 74.93.225.129: NEEDED_PREAUTH: user_n...@realm.com 
>> <mailto:user_n...@realm.com> for kadmin/changepw@
>> REALM.COM, Additional pre-authentication required
>> Jan 09 18:33:39 ipa.server krb5kdc[2382](info): AS_REQ (4 etypes {18 17 16
>> 23}) 74.93.225.129: ISSUE: authtime 1326134019, etypes {rep=18 tkt=18
>> ses=18}, user_n...@realm.com <mailto:user_n...@realm.com> for 
>> kadmin/chang...@realm.com <mailto:kadmin/chang...@realm.com>
>> Jan 09 18:33:51 ipa.server krb5kdc[2382](info): AS_REQ (4 etypes {18 17 16
>> 23}) 74.93.225.129: NEEDED_PREAUTH: user_n...@realm.com 
>> <mailto:user_n...@realm.com> for kadmin/changepw@
>> REALM.COM, Additional pre-authentication required
>>
>> After doing some testing while writing this message it appears that
>> kpasswd and even the sshd login fail as well in the same way.
>>
>> A copy of /etc/pam.d/system-auth for completeness:
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth        required      pam_env.so
>> auth        sufficient    pam_fprintd.so
>> auth        sufficient    pam_unix.so nullok try_first_pass
>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>> auth        sufficient    pam_sss.so use_first_pass
>> auth        required      pam_deny.so
>>
>> account     required      pam_unix.so
>> account     sufficient    pam_localuser.so
>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
>> account     required      pam_permit.so
>>
>> password    requisite     pam_cracklib.so try_first_pass retry=3 type=
>> minlen=14       dcredit=-1      ucredit=-1      ocredit=-1      lcredit=0
>> password    sufficient    pam_unix.so sha512 shadow nullok
>> try_first_pass use_authtok   remember=12
>> password    sufficient    pam_sss.so use_authtok
>> password    required      pam_deny.so
>>
>> session     optional      pam_keyinit.so revoke
>> session     required      pam_limits.so
>> session     optional      pam_oddjob_mkhomedir.so
>> session     [success=1 default=ignore] pam_succeed_if.so service in
>> crond quiet use_uid
>> session     required      pam_unix.so
>> session     optional      pam_sss.so
>> session optional        pam_motd.so     motd=/etc/motd
>>
>> Let me know any thoughts on the matter,
>>
>> -Erinn
>>
>>
> 
> Did you create a user and added a password for him?
> ipa user-add ...
> ipa passwd ...
> 
> Can you please provide the output of the:
> 
> ipa user-show <user> --raw --all
> 
> before and after you try?
> 
> 
>>   
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
> 
> 
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
> 
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


I didn't do it via the CLI, but rather the webui. Other than that yes.
For this run I did it via the CLI::

erinn@ipa ~ $ ipa user-add dev-test
First name: Dev
Last name: Test
---------------------
Added user "dev-test"
---------------------
  User login: dev-test
  First name: Dev
  Last name: Test
  Full name: Dev Test
  Display name: Dev Test
  Initials: DT
  Home directory: /home/dev-test
  GECOS field: Dev Test
  Login shell: /bin/bash
  Kerberos principal: dev-t...@example.com
  UID: 1607600013
  GID: 1607600013
  Keytab: False
  Password: False
erinn@ipa ~ $ ipa passwd dev-test
New Password:
Enter New Password again to verify:
------------------------------------------
Changed password for "dev-t...@example.com"
------------------------------------------
erinn@ipa ~ $ ipa user-show dev-test --raw --all
  dn: uid=dev-test,cn=users,cn=accounts,dc=example,dc=com
  uid: dev-test
  givenname: Dev
  sn: Test
  cn: Dev Test
  displayname: Dev Test
  initials: DT
  homedirectory: /home/dev-test
  gecos: Dev Test
  loginshell: /bin/bash
  krbprincipalname: dev-t...@example.com
  uidnumber: 1607600013
  gidnumber: 1607600013
  nsaccountlock: False
  has_keytab: True
  has_password: True
  ipauniqueid: 190c6a96-3b07-11e1-8f2b-f04da2090ae0
  krbextradata: AAgBAA==
  krbextradata: AAIeWQtPcm9vdC9hZG1pbkBBQkFRSVMuQ09NAA==
  krblastpwdchange: 20120109211614Z
  krbloginfailedcount: 0
  krbpasswordexpiration: 20120109211614Z
  krbpwdpolicyreference:
cn=global_policy,cn=example.COM,cn=kerberos,dc=example,dc=com
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
  mepmanagedentry: cn=dev-test,cn=groups,cn=accounts,dc=example,dc=com
  objectclass: top
  objectclass: person
  objectclass: organizationalperson
  objectclass: inetorgperson
  objectclass: inetuser
  objectclass: posixaccount
  objectclass: krbprincipalaux
  objectclass: krbticketpolicyaux
  objectclass: ipaobject
  objectclass: mepOriginEntry


After the attempt:
  dn: uid=dev-test,cn=users,cn=accounts,dc=example,dc=com
  uid: dev-test
  givenname: Dev
  sn: Test
  cn: Dev Test
  displayname: Dev Test
  initials: DT
  homedirectory: /home/dev-test
  gecos: Dev Test
  loginshell: /bin/bash
  krbprincipalname: dev-t...@example.com
  uidnumber: 1607600013
  gidnumber: 1607600013
  nsaccountlock: False
  has_keytab: True
  has_password: True
  ipauniqueid: 190c6a96-3b07-11e1-8f2b-f04da2090ae0
  krbextradata: AAIeWQtPcm9vdC9hZG1pbkBBQkFRSVMuQ09NAA==
  krbextradata: AAgBAA==
  krblastpwdchange: 20120109211614Z
  krblastsuccessfulauth: 20120109212104Z
  krbloginfailedcount: 0
  krbpasswordexpiration: 20120109211614Z
  krbpwdpolicyreference:
cn=global_policy,cn=example.COM,cn=kerberos,dc=example,dc=com
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
  memberof: cn=desktop,cn=groups,cn=accounts,dc=example,dc=com
  memberofindirect:
ipauniqueid=a212d7e0-3250-11e1-8dcb-f04da2090ae0,cn=hbac,dc=example,dc=com
  mepmanagedentry: cn=dev-test,cn=groups,cn=accounts,dc=example,dc=com
  objectclass: top
  objectclass: person
  objectclass: organizationalperson
  objectclass: inetorgperson
  objectclass: inetuser
  objectclass: posixaccount
  objectclass: krbprincipalaux
  objectclass: krbticketpolicyaux
  objectclass: ipaobject
  objectclass: mepOriginEntry


A couple of additional notes that may be important. The system to which
I am attempting to authenticate lives in private IP space whereas the
IPA server is on a public IP. Second HBAC is in effect on the host so
the user must be a member of the desktop group in order to authenticate.
These may not have any bearing, or they may who knows.

-Erinn


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to