It definately wasn't a policy problem. I couldn't even use ipa passwd as admin from the command line, there was a connection error. The upgrade meant my IPA server was straight borked. The solution? Revert to a previous snapshot, and continue using the old, working IPA (2.0.0-23.el6_1.2).
And I learned a valuable lesson: if it ain't broke, don't upgrade. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ----- Original Message ----- > From: "Dmitri Pal" <d...@redhat.com> > To: email@example.com > Sent: Saturday, March 9, 2013 5:19:51 AM > Subject: Re: [Freeipa-users] Upgraded, login + password webui auth and ssh > token manipulation gone > > > On 03/07/2013 11:47 PM, Tim Hildred wrote: > > Hello, > > I have been using IPA for authentication with a RHEV environment. > > Quite a while ago, I got help from this list in making it so that my > users could access the WebUI with their login and passwords, no > Kerberos ticket required. I also had it working that when their > passwords expired, they would ssh to the IPA server as themselves, > get challenged for their current password, and then the opportunity > to provide a new one. > > The update to ipa-server 3.0.0-25.el6 means that I can no longer log > into the WebUI with just a login and password (see attached > screenshot) and that users who try and update expired passwords get: > > You must change your password now and login again! > Changing password for user juwu. > Current Password: > New password: > Retype new password: > Password change failed. Server message: Password not changed. > It seems that password might have not matched the server policy. > Have you tried different users and different passwords? > > What does kerberos log on the server show? It will give you some hint > about the reason why the password was rejected. > It might be that the password you are trying to use already in the > history of passwords. AFAIR there was a bug that we did not handle > history of passwords properly in some cases. Now as it is fixed you > might see a proper policy enforcement. > > > > Insufficient access to perform requested operation while trying to > change password. > passwd: Authentication token manipulation error > Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. > > Can anyone help me restore that functionality? Please? > > Tim Hildred, RHCE > Content Author II - Engineering Content Services, Red Hat, Inc. > Brisbane, Australia > Email: thild...@redhat.com Internal: 8588287 > Mobile: +61 4 666 25242 > IRC: thildred > > _______________________________________________ > Freeipa-users mailing list Freeipafirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? www.redhat.com/carveoutcosts/ > _______________________________________________ > Freeipa-users mailing list > Freeipaemail@example.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users