This has been raised previously, here:
I'm experiencing the same issue and I will summarise.
Mac OS X (Mavericks in my case, but it was the same before I upgraded it from
Using RHEL 6.5 and ipa packages 3.0.0-37.
Directory Utility is connected to IPA domain using the RFC2307 templates,
slightly modified so that the Groups is based from cn=compat,dc=domain and
Users from cn=accounts,dc=domain, and so NFSHomeDirectory and HomeDirectory are
set to "#/Users/$uid$". Reason for compat for groups is so membership works
correctly (it needs memberUid format) and reason for accounts on Users is so
all main info is available and regular change password works. Homes are set as
such to keep everything local as I don't want networked home folders.
Logons work great. Groups are all populated fully. Users can go to System
Preferences -> Users & Groups -> Change password and change password
successfully. Home directories are kept local. Running the createmobileaccount
manually allows an account to successfully be marked as mobile so credential
cache works, even if the home directories are local (it seems the GUI won't do
it properly, maybe because they're already local.) So far, fantastic.
Now if I create a new user in IPA. It will require a password change on logon.
When I logon on the Mac with this new user. The password box wiggles and a box
appears underneath it. "Reset your password". Saying I need to set a new
password. So I enter a new password and I verify it. Then I click "Reset
Password" and it wiggle... no matter how many times I try, it doesn't move on.
The log I get is somewhat smaller as I've not yet added kerberos to the
pam.d/authorization (shouldn't be required for this since regular change
password works.) And possibly because less logging enabled but I'm not sure
what to modify and how.
12:50:47 SecurityAgent: User info context values set for testuser
12:50:48 authorizationhost: Failed to authenticate user <testuser> (error: 10).
Any thoughts on what the issue may be? Apple issue maybe or some
incompatibility on the FreeIPA side? Are there any logs from anywhere on the
IPA that might help? I can see no apparent issues in the slapd access log, it
seems to return successful for various attributes and just stop and no change
comes in for the password - it doesn't seem to even request the global_policy
which it does when using regular Change password.
Freeipa-users mailing list