Hi all,

This has been raised previously, here: 

I'm experiencing the same issue and I will summarise.

Mac OS X (Mavericks in my case, but it was the same before I upgraded it from 
Mountain Lion.)
Using RHEL 6.5 and ipa packages 3.0.0-37.

Directory Utility is connected to IPA domain using the RFC2307 templates, 
slightly modified so that the Groups is based from cn=compat,dc=domain and 
Users from cn=accounts,dc=domain, and so NFSHomeDirectory and HomeDirectory are 
set to "#/Users/$uid$". Reason for compat for groups is so membership works 
correctly (it needs memberUid format) and reason for accounts on Users is so 
all main info is available and regular change password works. Homes are set as 
such to keep everything local as I don't want networked home folders.

Logons work great. Groups are all populated fully. Users can go to System 
Preferences -> Users & Groups -> Change password and change password 
successfully. Home directories are kept local. Running the createmobileaccount 
manually allows an account to successfully be marked as mobile so credential 
cache works, even if the home directories are local (it seems the GUI won't do 
it properly, maybe because they're already local.) So far, fantastic.

Now if I create a new user in IPA. It will require a password change on logon.

When I logon on the Mac with this new user. The password box wiggles and a box 
appears underneath it. "Reset your password". Saying I need to set a new 
password. So I enter a new password and I verify it. Then I click "Reset 
Password" and it wiggle... no matter how many times I try, it doesn't move on.

The log I get is somewhat smaller as I've not yet added kerberos to the 
pam.d/authorization (shouldn't be required for this since regular change 
password works.) And possibly because less logging enabled but I'm not sure 
what to modify and how.

12:50:47 SecurityAgent: User info context values set for testuser
12:50:48 authorizationhost: Failed to authenticate user <testuser> (error: 10).

Any thoughts on what the issue may be? Apple issue maybe or some 
incompatibility on the FreeIPA side? Are there any logs from anywhere on the 
IPA that might help? I can see no apparent issues in the slapd access log, it 
seems to return successful for various attributes and just stop and no change 
comes in for the password - it doesn't seem to even request the global_policy 
which it does when using regular Change password.



Freeipa-users mailing list

Reply via email to