Tim Hildred wrote:
It definately wasn't a policy problem. I couldn't even use ipa passwd as admin 
from the command line, there was a connection error. The upgrade meant my IPA 
server was straight borked. The solution? Revert to a previous snapshot, and 
continue using the old, working IPA (2.0.0-23.el6_1.2).

And I learned a valuable lesson: if it ain't broke, don't upgrade.

Sorry that you had problems with the upgrade. We'd be happy to work with you to try to figure out where things went sideways. Others would likely benefit from this work too.

rob


Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

----- Original Message -----
From: "Dmitri Pal" <d...@redhat.com>
To: freeipa-users@redhat.com
Sent: Saturday, March 9, 2013 5:19:51 AM
Subject: Re: [Freeipa-users] Upgraded, login + password webui auth and ssh 
token manipulation gone


On 03/07/2013 11:47 PM, Tim Hildred wrote:

Hello,

I have been using IPA for authentication with a RHEV environment.

Quite a while ago, I got help from this list in making it so that my
users could access the WebUI with their login and passwords, no
Kerberos ticket required. I also had it working that when their
passwords expired, they would ssh to the IPA server as themselves,
get challenged for their current password, and then the opportunity
to provide a new one.

The update to ipa-server 3.0.0-25.el6 means that I can no longer log
into the WebUI with just a login and password (see attached
screenshot) and that users who try and update expired passwords get:

  You must change your password now and login again!
  Changing password for user juwu.
  Current Password:
  New password:
  Retype new password:
  Password change failed. Server message: Password not changed.
It seems that password might have not matched the server policy.
Have you tried different users and different passwords?

What does kerberos log on the server show? It will give you some hint
about the reason why the password was rejected.
It might be that the password you are trying to use already in the
history of passwords. AFAIR there was a bug that we did not handle
history of passwords properly in some cases. Now as it is fixed you
might see a proper policy enforcement.



Insufficient access to perform requested operation while trying to
change password.
  passwd: Authentication token manipulation error
  Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.

Can anyone help me restore that functionality? Please?

Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

_______________________________________________
Freeipa-users mailing list Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to