On 01/02/2013 05:47 PM, Chris Natter wrote:
> Hello,
>
> My users are running into a bit of a problem with password expiry and
> the reset prompts.
>
> When they attempt to reset their password they end up recieving access
> denied messages after going through the prompts to reset their password
> and entering their new desired passwords.
>
> The interesting thing is that if I reset the password via the Web UI to 
> anything,
> and then have the user try again with the new password, they are able to 
> successfully reset their password with no issues.
>
> Log snippets are below, I've sanitized them so the user in question is 
> 'juser'.
>
> Any help or guidance would be very appreciated. Thank you!
>
> sshd[26945]: pam_unix(sshd:auth): authentication failure; logname= uid=0 
> euid=0 tty=ssh ruser= rhost=172.20.1.108  user=juser
> sshd[26945]: pam_sss(sshd:auth): system info: [Password has expired]
> sshd[26945]: pam_sss(sshd:auth): authentication failure; logname= uid=0 
> euid=0 tty=ssh ruser= rhost=172.20.1.108 user=juser
> sshd[26945]: pam_sss(sshd:auth): received for user juser: 12 (Authentication 
> token is no longer valid; new one required)
> sshd[26945]: pam_sss(sshd:account): User info message: Password expired. 
> Change your password now.
> sshd[26945]: pam_unix(sshd:chauthtok): user "juser" does not exist in 
> /etc/passwd
> sshd[26945]: pam_unix(sshd:chauthtok): user "juser" does not exist in 
> /etc/passwd
> sshd[26945]: pam_sss(sshd:chauthtok): system info: [Generic error (see 
> e-text)]
> sshd[26945]: pam_sss(sshd:chauthtok): User info message: Password change 
> failed. Server message: Password change rejected
> sshd[26945]: pam_sss(sshd:chauthtok): Password change failed for user juser: 
> 20 (Authentication token manipulation error)
> sshd[26977]: pam_unix(sshd:auth): conversation failed
> sshd[26977]: pam_unix(sshd:auth): auth could not identify password for [juser]
> sshd[26977]: pam_sss(sshd:auth): system info: [Cannot read password]
> sshd[26977]: pam_sss(sshd:auth): authentication failure; logname= uid=0 
> euid=0 tty=ssh ruser= rhost=172.22.1.108 user=juser
> sshd[26977]: pam_sss(sshd:auth): received for user juser: 4 (System error)
> sshd[26977]: error: ssh_msg_send: write
>
> [[sssd[krb5_child[26452]]]] [validate_tgt] (5): TGT verified using key for 
> [host/devbox3.lnx.foo.lo...@lnx.foo.LOCAL].
> [[sssd[krb5_child[26949]]]] [krb5_child_setup] (7): Cannot read 
> [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
> [[sssd[krb5_child[26949]]]] [krb5_child_setup] (7): Cannot read 
> [SSSD_KRB5_LIFETIME] from environment.
> [[sssd[krb5_child[26949]]]] [sss_krb5_get_init_creds_opt_set_expire_callback] 
> (5): krb5_get_init_creds_opt_set_expire_callback not available.
> [[sssd[krb5_child[26949]]]] [get_and_save_tgt] (1): 721: 
> [-1765328361][Password has expired]
> [[sssd[krb5_child[26949]]]] [sss_krb5_get_init_creds_opt_set_expire_callback] 
> (5): krb5_get_init_creds_opt_set_expire_callback not available.
> [[sssd[krb5_child[26949]]]] [tgt_req_child] (1): 980: [-1765328361][Password 
> has expired]
> [[sssd[krb5_child[26958]]]] [krb5_child_setup] (7): Cannot read 
> [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
> [[sssd[krb5_child[26958]]]] [krb5_child_setup] (7): Cannot read 
> [SSSD_KRB5_LIFETIME] from environment.
> [[sssd[krb5_child[26976]]]] [krb5_child_setup] (7): Cannot read 
> [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
> [[sssd[krb5_child[26976]]]] [krb5_child_setup] (7): Cannot read 
> [SSSD_KRB5_LIFETIME] from environment.
> [[sssd[krb5_child[26976]]]] [changepw_child] (1): krb5_change_password failed 
> [4][Password change rejected].
>
> krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 
> 10.120.100.100: CLIENT KEY EXPIRED: ju...@lnx.foo.LOCAL for 
> krbtgt/lnx.foo.lo...@lnx.foo.LOCAL, Password has expired
> krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 
> 10.120.100.100: NEEDED_PREAUTH: ju...@lnx.foo.LOCAL for 
> kadmin/chang...@lnx.foo.LOCAL, Additional pre-authentication required
> krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 
> 10.120.100.100: ISSUE: authtime 1357163914, etypes {rep=18 tkt=18 ses=18}, 
> ju...@lnx.foo.LOCAL for kadmin/chang...@lnx.foo.LOCAL
> krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 
> 10.120.100.100: NEEDED_PREAUTH: ju...@lnx.foo.LOCAL for 
> kadmin/chang...@lnx.foo.LOCAL, Additional pre-authentication required
> krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 
> 10.120.100.100: ISSUE: authtime 1357163921, etypes {rep=18 tkt=18 ses=18}, 
> ju...@lnx.foo.LOCAL for kadmin/chang...@lnx.foo.LOCAL
> krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 
> 10.120.100.100: NEEDED_PREAUTH: ju...@lnx.foo.LOCAL for 
> kadmin/chang...@lnx.foo.LOCAL, Additional pre-authentication required
> krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 
> 10.120.100.100: ISSUE: authtime 1357163949, etypes {rep=18 tkt=18 ses=18}, 
> ju...@lnx.foo.LOCAL for kadmin/chang...@lnx.foo.LOCAL
> krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 
> 10.120.100.100: CLIENT KEY EXPIRED: ju...@lnx.foo.LOCAL for 
> krbtgt/lnx.foo.lo...@lnx.foo.LOCAL, Password has expired
> krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 
> 10.120.100.100: NEEDED_PREAUTH: ju...@lnx.foo.LOCAL for 
> kadmin/chang...@lnx.foo.LOCAL, Additional pre-authentication required

What version are we talking about?
Look at the KDC side logs they might shed some light.
Do you have any special password policies configured (length,
complexity, did it change) ?
Does it happen for all users of just a subset?



>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to