Hello,

My users are running into a bit of a problem with password expiry and
the reset prompts.

When they attempt to reset their password they end up recieving access
denied messages after going through the prompts to reset their password
and entering their new desired passwords.

The interesting thing is that if I reset the password via the Web UI to 
anything,
and then have the user try again with the new password, they are able to 
successfully reset their password with no issues.

Log snippets are below, I've sanitized them so the user in question is 'juser'.

Any help or guidance would be very appreciated. Thank you!

sshd[26945]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=172.20.1.108  user=juser
sshd[26945]: pam_sss(sshd:auth): system info: [Password has expired]
sshd[26945]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=172.20.1.108 user=juser
sshd[26945]: pam_sss(sshd:auth): received for user juser: 12 (Authentication 
token is no longer valid; new one required)
sshd[26945]: pam_sss(sshd:account): User info message: Password expired. Change 
your password now.
sshd[26945]: pam_unix(sshd:chauthtok): user "juser" does not exist in 
/etc/passwd
sshd[26945]: pam_unix(sshd:chauthtok): user "juser" does not exist in 
/etc/passwd
sshd[26945]: pam_sss(sshd:chauthtok): system info: [Generic error (see e-text)]
sshd[26945]: pam_sss(sshd:chauthtok): User info message: Password change 
failed. Server message: Password change rejected
sshd[26945]: pam_sss(sshd:chauthtok): Password change failed for user juser: 20 
(Authentication token manipulation error)
sshd[26977]: pam_unix(sshd:auth): conversation failed
sshd[26977]: pam_unix(sshd:auth): auth could not identify password for [juser]
sshd[26977]: pam_sss(sshd:auth): system info: [Cannot read password]
sshd[26977]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=172.22.1.108 user=juser
sshd[26977]: pam_sss(sshd:auth): received for user juser: 4 (System error)
sshd[26977]: error: ssh_msg_send: write

[[sssd[krb5_child[26452]]]] [validate_tgt] (5): TGT verified using key for 
[host/devbox3.lnx.foo.lo...@lnx.foo.LOCAL].
[[sssd[krb5_child[26949]]]] [krb5_child_setup] (7): Cannot read 
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
[[sssd[krb5_child[26949]]]] [krb5_child_setup] (7): Cannot read 
[SSSD_KRB5_LIFETIME] from environment.
[[sssd[krb5_child[26949]]]] [sss_krb5_get_init_creds_opt_set_expire_callback] 
(5): krb5_get_init_creds_opt_set_expire_callback not available.
[[sssd[krb5_child[26949]]]] [get_and_save_tgt] (1): 721: [-1765328361][Password 
has expired]
[[sssd[krb5_child[26949]]]] [sss_krb5_get_init_creds_opt_set_expire_callback] 
(5): krb5_get_init_creds_opt_set_expire_callback not available.
[[sssd[krb5_child[26949]]]] [tgt_req_child] (1): 980: [-1765328361][Password 
has expired]
[[sssd[krb5_child[26958]]]] [krb5_child_setup] (7): Cannot read 
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
[[sssd[krb5_child[26958]]]] [krb5_child_setup] (7): Cannot read 
[SSSD_KRB5_LIFETIME] from environment.
[[sssd[krb5_child[26976]]]] [krb5_child_setup] (7): Cannot read 
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
[[sssd[krb5_child[26976]]]] [krb5_child_setup] (7): Cannot read 
[SSSD_KRB5_LIFETIME] from environment.
[[sssd[krb5_child[26976]]]] [changepw_child] (1): krb5_change_password failed 
[4][Password change rejected].

krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 
10.120.100.100: CLIENT KEY EXPIRED: ju...@lnx.foo.LOCAL for 
krbtgt/lnx.foo.lo...@lnx.foo.LOCAL, Password has expired
krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 
10.120.100.100: NEEDED_PREAUTH: ju...@lnx.foo.LOCAL for 
kadmin/chang...@lnx.foo.LOCAL, Additional pre-authentication required
krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 
10.120.100.100: ISSUE: authtime 1357163914, etypes {rep=18 tkt=18 ses=18}, 
ju...@lnx.foo.LOCAL for kadmin/chang...@lnx.foo.LOCAL
krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 
10.120.100.100: NEEDED_PREAUTH: ju...@lnx.foo.LOCAL for 
kadmin/chang...@lnx.foo.LOCAL, Additional pre-authentication required
krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 
10.120.100.100: ISSUE: authtime 1357163921, etypes {rep=18 tkt=18 ses=18}, 
ju...@lnx.foo.LOCAL for kadmin/chang...@lnx.foo.LOCAL
krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 
10.120.100.100: NEEDED_PREAUTH: ju...@lnx.foo.LOCAL for 
kadmin/chang...@lnx.foo.LOCAL, Additional pre-authentication required
krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 
10.120.100.100: ISSUE: authtime 1357163949, etypes {rep=18 tkt=18 ses=18}, 
ju...@lnx.foo.LOCAL for kadmin/chang...@lnx.foo.LOCAL
krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 
10.120.100.100: CLIENT KEY EXPIRED: ju...@lnx.foo.LOCAL for 
krbtgt/lnx.foo.lo...@lnx.foo.LOCAL, Password has expired
krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 
10.120.100.100: NEEDED_PREAUTH: ju...@lnx.foo.LOCAL for 
kadmin/chang...@lnx.foo.LOCAL, Additional pre-authentication required

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to