On Mon, Mar 11, 2013 at 01:21:26AM -0400, Tim Hildred wrote: > It definately wasn't a policy problem. I couldn't even use ipa passwd as > admin from the command line, there was a connection error. The upgrade meant > my IPA server was straight borked. The solution? Revert to a previous > snapshot, and continue using the old, working IPA (2.0.0-23.el6_1.2).
Maybe instead of trying to upgrade directly from 2.0 to 3.0 a step in between like 2.0->2.1->3.0 would be better? To be on the safe side you might want to include 2.2 as well in the upgrade path. HTH bye, Sumit > > And I learned a valuable lesson: if it ain't broke, don't upgrade. > > Tim Hildred, RHCE > Content Author II - Engineering Content Services, Red Hat, Inc. > Brisbane, Australia > Email: thild...@redhat.com > Internal: 8588287 > Mobile: +61 4 666 25242 > IRC: thildred > > ----- Original Message ----- > > From: "Dmitri Pal" <d...@redhat.com> > > To: freeipa-users@redhat.com > > Sent: Saturday, March 9, 2013 5:19:51 AM > > Subject: Re: [Freeipa-users] Upgraded, login + password webui auth and ssh > > token manipulation gone > > > > > > On 03/07/2013 11:47 PM, Tim Hildred wrote: > > > > Hello, > > > > I have been using IPA for authentication with a RHEV environment. > > > > Quite a while ago, I got help from this list in making it so that my > > users could access the WebUI with their login and passwords, no > > Kerberos ticket required. I also had it working that when their > > passwords expired, they would ssh to the IPA server as themselves, > > get challenged for their current password, and then the opportunity > > to provide a new one. > > > > The update to ipa-server 3.0.0-25.el6 means that I can no longer log > > into the WebUI with just a login and password (see attached > > screenshot) and that users who try and update expired passwords get: > > > > You must change your password now and login again! > > Changing password for user juwu. > > Current Password: > > New password: > > Retype new password: > > Password change failed. Server message: Password not changed. > > It seems that password might have not matched the server policy. > > Have you tried different users and different passwords? > > > > What does kerberos log on the server show? It will give you some hint > > about the reason why the password was rejected. > > It might be that the password you are trying to use already in the > > history of passwords. AFAIR there was a bug that we did not handle > > history of passwords properly in some cases. Now as it is fixed you > > might see a proper policy enforcement. > > > > > > > > Insufficient access to perform requested operation while trying to > > change password. > > passwd: Authentication token manipulation error > > Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. > > > > Can anyone help me restore that functionality? Please? > > > > Tim Hildred, RHCE > > Content Author II - Engineering Content Services, Red Hat, Inc. > > Brisbane, Australia > > Email: thild...@redhat.com Internal: 8588287 > > Mobile: +61 4 666 25242 > > IRC: thildred > > > > _______________________________________________ > > Freeipa-users mailing list Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager for IdM portfolio > > Red Hat Inc. > > > > > > ------------------------------- > > Looking to carve out IT costs? www.redhat.com/carveoutcosts/ > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users