Re: [Freeipa-users] confusing users
RHEL6 is quite a broad specification :-) There are 3 additional minor numbers and the fourth is coming. But as Simo suggested in this thread, this issue should be fixed in next RHEL release. I could not reproduce in Fedora too, you can check my ssh outputs below - a reason why the new password is rejected is returned to user. Martin On 10/09/2012 09:44 PM, Steven Jones wrote: > Hi, > > The user was on ssh. > > RHEL6 64bit. > > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: Martin Kosek [mko...@redhat.com] > Sent: Tuesday, 9 October 2012 7:54 p.m. > To: Steven Jones > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] confusing users > > On 10/09/2012 12:59 AM, Steven Jones wrote: >> Hi, >> >> When a user logs in for the first time nad they have to set a new password, >> if >> it doesnt meet the passowrd standard/policy it fails with a "authentication >> token manipulation error" is it possible to get that changed so it says >> "password does not meet policy"? >> >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> > > Hello Steven, > > what service did you use to log in (package versions may help too)? When I > tried ssh-ing a new user or login via login terminal, I got an explaining > error > message: > > 1) PAM prevented the change > > # ssh f...@ipa.example.com > f...@ipa.example.com's password: > Password expired. Change your password now. > Last login: Tue Oct 9 02:44:19 2012 from 10.0.0.1 > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user fbar. > Current Password: > New password: > BAD PASSWORD: The password is shorter than 8 characters > New password: > BAD PASSWORD: The password fails the dictionary check - it is based on a > dictionary word > New password: > Retype new password: Connection to ipa.example.com closed. > > 2) IPA pwpolicy prevented the chgange > > # ssh f...@ipa.example.com > f...@ipa.example.com's password: > Password expired. Change your password now. > Last login: Tue Oct 9 02:44:31 2012 from 10.0.0.1 > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user fbar. > Current Password: > New password: > Retype new password: > Password change failed. Server message: Password does not contain enough > character classes > > Password not changed. > passwd: Authentication token manipulation error > Connection to ipa.example.com closed. > > Martin > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] confusing users
Hi, The user was on ssh. RHEL6 64bit. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Martin Kosek [mko...@redhat.com] Sent: Tuesday, 9 October 2012 7:54 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] confusing users On 10/09/2012 12:59 AM, Steven Jones wrote: > Hi, > > When a user logs in for the first time nad they have to set a new password, if > it doesnt meet the passowrd standard/policy it fails with a "authentication > token manipulation error" is it possible to get that changed so it says > "password does not meet policy"? > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > Hello Steven, what service did you use to log in (package versions may help too)? When I tried ssh-ing a new user or login via login terminal, I got an explaining error message: 1) PAM prevented the change # ssh f...@ipa.example.com f...@ipa.example.com's password: Password expired. Change your password now. Last login: Tue Oct 9 02:44:19 2012 from 10.0.0.1 WARNING: Your password has expired. You must change your password now and login again! Changing password for user fbar. Current Password: New password: BAD PASSWORD: The password is shorter than 8 characters New password: BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word New password: Retype new password: Connection to ipa.example.com closed. 2) IPA pwpolicy prevented the chgange # ssh f...@ipa.example.com f...@ipa.example.com's password: Password expired. Change your password now. Last login: Tue Oct 9 02:44:31 2012 from 10.0.0.1 WARNING: Your password has expired. You must change your password now and login again! Changing password for user fbar. Current Password: New password: Retype new password: Password change failed. Server message: Password does not contain enough character classes Password not changed. passwd: Authentication token manipulation error Connection to ipa.example.com closed. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] confusing users
On Mon, 2012-10-08 at 22:59 +, Steven Jones wrote: > Hi, > > When a user logs in for the first time nad they have to set a new > password, if it doesnt meet the passowrd standard/policy it fails with > a "authentication token manipulation error" is it possible to get that > changed so it says "password does not meet policy"? Steven, I think this is a bug in RHEL, and should be fixed in the next update. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] confusing users
On 10/09/2012 12:59 AM, Steven Jones wrote: > Hi, > > When a user logs in for the first time nad they have to set a new password, if > it doesnt meet the passowrd standard/policy it fails with a "authentication > token manipulation error" is it possible to get that changed so it says > "password does not meet policy"? > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > Hello Steven, what service did you use to log in (package versions may help too)? When I tried ssh-ing a new user or login via login terminal, I got an explaining error message: 1) PAM prevented the change # ssh f...@ipa.example.com f...@ipa.example.com's password: Password expired. Change your password now. Last login: Tue Oct 9 02:44:19 2012 from 10.0.0.1 WARNING: Your password has expired. You must change your password now and login again! Changing password for user fbar. Current Password: New password: BAD PASSWORD: The password is shorter than 8 characters New password: BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word New password: Retype new password: Connection to ipa.example.com closed. 2) IPA pwpolicy prevented the chgange # ssh f...@ipa.example.com f...@ipa.example.com's password: Password expired. Change your password now. Last login: Tue Oct 9 02:44:31 2012 from 10.0.0.1 WARNING: Your password has expired. You must change your password now and login again! Changing password for user fbar. Current Password: New password: Retype new password: Password change failed. Server message: Password does not contain enough character classes Password not changed. passwd: Authentication token manipulation error Connection to ipa.example.com closed. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] confusing users
1) I had to test as somehow I cant fathom what it means either! 2) That can be altered in the policy section, Ive altered mine to match my AD policy but with 6000+ users regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Tim Hildred [thild...@redhat.com] Sent: Tuesday, 9 October 2012 1:38 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] confusing users > > When a user logs in for the first time nad they have to set a new > password, if it doesnt meet the passowrd standard/policy it fails > with a "authentication token manipulation error" is it possible to > get that changed so it says "password does not meet policy"? > +1 And additionally, some really clear documentation on how on: 1) what is an acceptable password under the default password policy and why, with examples. 2) how to alter the password policy to meet the needs of your environment, with examples. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] confusing users
> > When a user logs in for the first time nad they have to set a new > password, if it doesnt meet the passowrd standard/policy it fails > with a "authentication token manipulation error" is it possible to > get that changed so it says "password does not meet policy"? > +1 And additionally, some really clear documentation on how on: 1) what is an acceptable password under the default password policy and why, with examples. 2) how to alter the password policy to meet the needs of your environment, with examples. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] confusing users
Hi, When a user logs in for the first time nad they have to set a new password, if it doesnt meet the passowrd standard/policy it fails with a "authentication token manipulation error" is it possible to get that changed so it says "password does not meet policy"? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users