This is basically the log when I attempt to change the password:

Aug  7 16:59:19 mactestvm.mtl.dd.net SecurityAgent[271]: *** WARNING: -[NSImage 
compositeToPoint:operation:fraction:] is deprecated in MacOSX 10.8 and later. 
Please use -[NSImage drawAtPoint:fromRect:operation:fraction:] instead.
Aug  7 16:59:19 mactestvm.mtl.dd.net SecurityAgent[271]: *** WARNING: -[NSImage 
compositeToPoint:fromRect:operation:fraction:] is deprecated in MacOSX 10.8 and 
later. Please use -[NSImage drawAtPoint:fromRect:operation:fraction:] instead.
Aug  7 16:59:26 mactestvm.mtl.dd.net SecurityAgent[271]: User info context 
values set for testuser2
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Got user: testuser2
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Got ruser: (null)
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Got service: authorization
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Context initialised
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Stashing kcm credentials in enviroment for kcminit: 
testuser2
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Got user: testuser2
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Got ruser: (null)
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Got service: authorization
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Context initialised
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Created principal: testuser2
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Done krb5_parse_name()
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Got principal: testus...@dd.net
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Got password
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Done getpwnam()
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Attempting to get forwardable TGT.
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: 
krb5_sendto_context is called on main thread, its a blocking api
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Attempting to get non-forwardable TGT.
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Kerberos 5 error
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Error krb5_get_init_creds_password(): Password has 
expired
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Done cleanup2
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Done cleanup3
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Kerberos 5 refuses you
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): pam_sm_authenticate: ntlm
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): OpenDirectory - The authtok is expired or requires 
updating.
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800.
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_acct_mgmt(): OpenDirectory - Password expired.
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: Failed to 
authenticate user <testuser2> (error: 10).
Aug  7 16:59:43 mactestvm.mtl.dd.net WindowServer[97]: 3891612: App 
SecurityAgent cannot order in untagged windows before login.
Aug  7 16:59:43 mactestvm.mtl.dd.net SecurityAgent[271]: CGSOrderWindowList

Does this rings a bell?


-- 


Davis Goodman
Directeur Informatique  |  IT Manager

5605 Avenue de Gaspé, Suite 408  |  Montréal, QC H2T 2A4 
Tél: +1 (514) 360-3253 x104            Cell: +1 (514) 994-7360 





On 2013-08-07, at 15:41 , Dmitri Pal <d...@redhat.com> wrote:

> On 08/07/2013 10:27 AM, Davis Goodman wrote:
>> When I mention GUI I'm talking about the Mac OSX Login screen not through a 
>> browser
>> 
>> 
>> -- 
>> 
>> 
>> Davis Goodman
>> Directeur Informatique  |  IT Manager
>> 
>> 5605 Avenue de Gaspé, Suite 408  |  Montréal, QC H2T 2A4 
>> Tél: +1 (514) 360-3253 x104            Cell: +1 (514) 994-7360 
>> 
>> 
>> On 2013-08-07, at 10:07 , Rob Crittenden <rcrit...@redhat.com> wrote:
>> 
>>> Davis Goodman wrote:
>>>> Hi Brian, Lynn,
>>>> 
>>>> As far as Linux client, this is not my issue for now, I believe the Linux 
>>>> setup is quite straight forward and the password change at first login 
>>>> seems to work without an issue.
>>>> 
>>>> My main concern is on Mountain Lion 10.8.x,
>>>> 
>>>> At this point I've managed to bind the OSX machine to the IPA server 
>>>> without any issue following this guide:
>>>> 
>>>> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8
>>>> 
>>>> I also have all the autmounts configured via LDAP using this: 
>>>> https://ssl.apple.com/business/docs/Autofs.pdf on page 16.
>>>> 
>>>> My main issue right now seems to be at the GUI login. The applet shows up 
>>>> for password change but doesn't seem to do anything. When I press continue 
>>>> the applet comes back and this goes in a loop until I hit "Cancel".
>>>> 
>>>> My IPA versions are as follows:
>>>> ipa-admintools.x86_64                    3.0.0-26.el6_4.4
>>>> ipa-client.x86_64                        3.0.0-26.el6_4.4
>>>> ipa-gothic-fonts.noarch                  003.02-4.2.el6
>>>> ipa-mincho-fonts.noarch                  003.02-3.1.el6
>>>> ipa-pgothic-fonts.noarch                 003.02-4.1.el6
>>>> ipa-pmincho-fonts.noarch                 003.02-3.1.el6
>>>> ipa-python.x86_64                        3.0.0-26.el6_4.4
>>>> ipa-server.x86_64                        3.0.0-26.el6_4.4
>>>> ipa-server-selinux.x86_64                3.0.0-26.el6_4.4
>>>> ipa-server-trust-ad.x86_64               3.0.0-26.el6_4.4
>>>> 
>>>> As mentioned in my first post, if I make the password change at the 
>>>> terminal prompt, I am then able to login without a password change prompt.
>>>> 
>>>> Not sure if I'll be able to go through this issue unless someone as 
>>>> already experienced this.
>>>> 
>>>> Davis
>>> 
>>> What browser are you using?
>>> 
>>> Have you tried the GUI with a new user from a Linux client?
>>> 
>>> I'm thinking this is a browser issue rather than something with OSX as the 
>>> majority of the work is done on the server.
>>> 
>>> rob
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> Freeipa-users mailing list
>> 
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> Not an expert on OSX.
> I wonder whether the UI prompt supports password change workflow. May be it 
> does but needs to be explicitly enabled?
> There should be some logs on the OSX that would indicate what is going on 
> when the server responds with the password change prompt.
> I would suggest starting troubleshooting efforts there.
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
> 
> 
> -------------------------------
> Looking to carve out IT costs?
> 
> www.redhat.com/carveoutcosts/
> 
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to