Hello, My users are running into a bit of a problem with password expiry and the reset prompts.
When they attempt to reset their password they end up recieving access denied messages after going through the prompts to reset their password and entering their new desired passwords. The interesting thing is that if I reset the password via the Web UI to anything, and then have the user try again with the new password, they are able to successfully reset their password with no issues. Log snippets are below, I've sanitized them so the user in question is 'juser'. Any help or guidance would be very appreciated. Thank you! sshd[26945]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.20.1.108 user=juser sshd[26945]: pam_sss(sshd:auth): system info: [Password has expired] sshd[26945]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.20.1.108 user=juser sshd[26945]: pam_sss(sshd:auth): received for user juser: 12 (Authentication token is no longer valid; new one required) sshd[26945]: pam_sss(sshd:account): User info message: Password expired. Change your password now. sshd[26945]: pam_unix(sshd:chauthtok): user "juser" does not exist in /etc/passwd sshd[26945]: pam_unix(sshd:chauthtok): user "juser" does not exist in /etc/passwd sshd[26945]: pam_sss(sshd:chauthtok): system info: [Generic error (see e-text)] sshd[26945]: pam_sss(sshd:chauthtok): User info message: Password change failed. Server message: Password change rejected sshd[26945]: pam_sss(sshd:chauthtok): Password change failed for user juser: 20 (Authentication token manipulation error) sshd[26977]: pam_unix(sshd:auth): conversation failed sshd[26977]: pam_unix(sshd:auth): auth could not identify password for [juser] sshd[26977]: pam_sss(sshd:auth): system info: [Cannot read password] sshd[26977]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.22.1.108 user=juser sshd[26977]: pam_sss(sshd:auth): received for user juser: 4 (System error) sshd[26977]: error: ssh_msg_send: write [[sssd[krb5_child[26452]]]] [validate_tgt] (5): TGT verified using key for [host/[email protected]]. [[sssd[krb5_child[26949]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. [[sssd[krb5_child[26949]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_LIFETIME] from environment. [[sssd[krb5_child[26949]]]] [sss_krb5_get_init_creds_opt_set_expire_callback] (5): krb5_get_init_creds_opt_set_expire_callback not available. [[sssd[krb5_child[26949]]]] [get_and_save_tgt] (1): 721: [-1765328361][Password has expired] [[sssd[krb5_child[26949]]]] [sss_krb5_get_init_creds_opt_set_expire_callback] (5): krb5_get_init_creds_opt_set_expire_callback not available. [[sssd[krb5_child[26949]]]] [tgt_req_child] (1): 980: [-1765328361][Password has expired] [[sssd[krb5_child[26958]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. [[sssd[krb5_child[26958]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_LIFETIME] from environment. [[sssd[krb5_child[26976]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. [[sssd[krb5_child[26976]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_LIFETIME] from environment. [[sssd[krb5_child[26976]]]] [changepw_child] (1): krb5_change_password failed [4][Password change rejected]. krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: CLIENT KEY EXPIRED: [email protected] for krbtgt/[email protected], Password has expired krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional pre-authentication required krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: ISSUE: authtime 1357163914, etypes {rep=18 tkt=18 ses=18}, [email protected] for kadmin/[email protected] krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional pre-authentication required krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: ISSUE: authtime 1357163921, etypes {rep=18 tkt=18 ses=18}, [email protected] for kadmin/[email protected] krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional pre-authentication required krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: ISSUE: authtime 1357163949, etypes {rep=18 tkt=18 ses=18}, [email protected] for kadmin/[email protected] krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: CLIENT KEY EXPIRED: [email protected] for krbtgt/[email protected], Password has expired krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional pre-authentication required _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
