Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone
It definately wasn't a policy problem. I couldn't even use ipa passwd as admin from the command line, there was a connection error. The upgrade meant my IPA server was straight borked. The solution? Revert to a previous snapshot, and continue using the old, working IPA (2.0.0-23.el6_1.2). And I learned a valuable lesson: if it ain't broke, don't upgrade. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred - Original Message - From: Dmitri Pal d...@redhat.com To: freeipa-users@redhat.com Sent: Saturday, March 9, 2013 5:19:51 AM Subject: Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone On 03/07/2013 11:47 PM, Tim Hildred wrote: Hello, I have been using IPA for authentication with a RHEV environment. Quite a while ago, I got help from this list in making it so that my users could access the WebUI with their login and passwords, no Kerberos ticket required. I also had it working that when their passwords expired, they would ssh to the IPA server as themselves, get challenged for their current password, and then the opportunity to provide a new one. The update to ipa-server 3.0.0-25.el6 means that I can no longer log into the WebUI with just a login and password (see attached screenshot) and that users who try and update expired passwords get: You must change your password now and login again! Changing password for user juwu. Current Password: New password: Retype new password: Password change failed. Server message: Password not changed. It seems that password might have not matched the server policy. Have you tried different users and different passwords? What does kerberos log on the server show? It will give you some hint about the reason why the password was rejected. It might be that the password you are trying to use already in the history of passwords. AFAIR there was a bug that we did not handle history of passwords properly in some cases. Now as it is fixed you might see a proper policy enforcement. Insufficient access to perform requested operation while trying to change password. passwd: Authentication token manipulation error Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. Can anyone help me restore that functionality? Please? Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone
Hello, I have been using IPA for authentication with a RHEV environment. Quite a while ago, I got help from this list in making it so that my users could access the WebUI with their login and passwords, no Kerberos ticket required. I also had it working that when their passwords expired, they would ssh to the IPA server as themselves, get challenged for their current password, and then the opportunity to provide a new one. The update to ipa-server 3.0.0-25.el6 means that I can no longer log into the WebUI with just a login and password (see attached screenshot) and that users who try and update expired passwords get: You must change your password now and login again! Changing password for user juwu. Current Password: New password: Retype new password: Password change failed. Server message: Password not changed. Insufficient access to perform requested operation while trying to change password. passwd: Authentication token manipulation error Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. Can anyone help me restore that functionality? Please? Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred attachment: ipa_dialog.png___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] DNS chages made from the WebUI take a long time to be recognized.
Should it take several hours for me to be able to ping a host at it's new IP address when I update the DNS record in the WebUI? I deleted the old records (A and PTR), and added new records for the same FQDN, with a different IP address. But I can't ping the host using the FQDN. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] confusing users
When a user logs in for the first time nad they have to set a new password, if it doesnt meet the passowrd standard/policy it fails with a authentication token manipulation error is it possible to get that changed so it says password does not meet policy? +1 And additionally, some really clear documentation on how on: 1) what is an acceptable password under the default password policy and why, with examples. 2) how to alter the password policy to meet the needs of your environment, with examples. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password requirements too stringent
Sep 19 11:40:43 dns1 sshd[11197]: pam_sss(sshd:account): User info message: Password expired. Change your password now. Sep 19 11:40:43 dns1 sshd[11197]: Accepted password for ykatabam from 10.64.48.102 port 47713 ssh2 Sep 19 11:40:43 dns1 sshd[11197]: pam_unix(sshd:session): session opened for user ykatabam by (uid=0) Sep 19 11:40:43 dns1 passwd: pam_unix(passwd:chauthtok): user ykatabam does not exist in /etc/passwd Sep 19 11:41:21 dns1 passwd: pam_unix(passwd:chauthtok): user ykatabam does not exist in /etc/passwd Sep 19 11:41:22 dns1 sshd[11201]: Received disconnect from 10.64.48.102: 11: disconnected by user Sep 19 11:41:22 dns1 sshd[11197]: pam_unix(sshd:session): session closed for user ykatabam Sep 19 14:40:33 dns1 sshd[3]: Received disconnect from 10.64.15.231: 11: disconnected by user Looks like you're right Jakub. From what I gather: - the server requires a complex password in that cracklib.so, so it was suggested I take that password requisite cracklib.so out. - with that gone, it looks kind of like IPA doesn't come into the picture? I uncommented that line, and now it all works again, but I'm back to really-stringent-password-requirement-town. What next? Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred - Original Message - From: Jakub Hrozek jhro...@redhat.com To: Tim Hildred thild...@redhat.com Cc: freeipa-users@redhat.com Sent: Wednesday, September 19, 2012 4:56:42 PM Subject: Re: [Freeipa-users] Password requirements too stringent On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote: So, commenting out: passwordrequisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 Caused users updating their passwords using ssh to get: [ykatabam@ykatabam ~]$ ssh ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password: Permission denied, please try again. ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password: Password expired. Change your password now. Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com WARNING: Your password has expired. You must change your password now and login again! Changing password for user ykatabam. Current Password: Password change failed. Server message: Password change failed passwd: Authentication token manipulation error Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. Is that to say that you need at least 1 password requisite? That instead of commenting out the password requisite pam_cracklib.so, I should have replaced it with something? What did /var/log/secure have to say? The message sounds to me like it's coming from the server.. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password requirements too stringent
So, commenting out: passwordrequisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 Caused users updating their passwords using ssh to get: [ykatabam@ykatabam ~]$ ssh ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password: Permission denied, please try again. ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password: Password expired. Change your password now. Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com WARNING: Your password has expired. You must change your password now and login again! Changing password for user ykatabam. Current Password: Password change failed. Server message: Password change failed passwd: Authentication token manipulation error Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. Is that to say that you need at least 1 password requisite? That instead of commenting out the password requisite pam_cracklib.so, I should have replaced it with something? Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred - Original Message - From: Jakub Hrozek jhro...@redhat.com To: freeipa-users@redhat.com Sent: Tuesday, September 18, 2012 5:29:12 PM Subject: Re: [Freeipa-users] Password requirements too stringent On Tue, Sep 18, 2012 at 02:57:49AM +, JR Aquino wrote: On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote: JR I had that line. I commented it out. Thank you. Now, what do I have to restart? I believe it should take effect in real time, but you may need to test to be sure. If it is still happening, you may need to double check that some other pam cfg doesn't also have it present: $ cd /etc/pam.d/ grep pam_cracklib * If you have removed it from everything and it is still giving you the same error, then I would try a reboot... perhaps getty needs to reinitialize or something. But I'd try those steps before a reboot! ;) Some services, notably the sshd, must be restarted in order to re-read the PAM config. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Password requirements too stringent
Hey all; I'm running IPA internally to control access to our cloud environment. I must admit, I do not understand the password requirements. I have had them set to the defaults. I read this: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html I have the minimum character classes set to 0. When people use SSH to change their passwords, they get Based on a dictionary word for passwords that have nothing to do with dictionary words. I can't find anywhere in the documentation a break down of what makes an unacceptable versus acceptable password. Can anyone help me figure out what to tell my users? I think people would get a lot less frustrated if they knew why C679V375 was too simple when the password policy has 0 required classes. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ps: funny exchange with user: Jul 12 14:12:33 user1 i feel like im being punked Jul 12 14:12:40 user1 it is based on a dictionary word Jul 12 14:12:43 user1 it is too short Jul 12 14:12:49 user1 is does not have enough unique letters Jul 12 14:12:51 user1 etc ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password Expiration Grace Limit
latetotheparty There seems to be nothing in the documentation about a user being able to initiate a password change dialogue after their password has expired https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Using_SSH_for_Password_Authentication.html /latetotheparty Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password requirements too stringent
JR I had that line. I commented it out. Thank you. Now, what do I have to restart? Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred - Original Message - From: JR Aquino jr.aqu...@citrix.com To: Tim Hildred thild...@redhat.com Cc: freeipa-users freeipa-users@redhat.com Sent: Tuesday, September 18, 2012 12:37:48 PM Subject: Re: [Freeipa-users] Password requirements too stringent Tim, please check your /etc/pam.d/system-auth with the password block. If you see passwordrequisite pam_cracklib.so, then this is why you are having a problem. $ man pam_cracklib It is a local security library for enforcing strong password practices from the unix cli. ProTip: If you don't need this, you can remove it from pam If you want to work around this, set your password from the IPA webui or via the cli: ipa passwd username Hope this info helps! Keeping your head in the cloud ~ JR Aquino Senior Information Security Specialist, Technical Operations T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365 GIAC Certified Incident Handler | GIAC WebApplication Penetration Tester jr.aqu...@citrix.commailto:jr.aqu...@citrix.com [cid:image002.jpg@01CD4A37.5451DC00] Powering mobile workstyles and cloud services On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote: Hey all; I'm running IPA internally to control access to our cloud environment. I must admit, I do not understand the password requirements. I have had them set to the defaults. I read this: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html I have the minimum character classes set to 0. When people use SSH to change their passwords, they get Based on a dictionary word for passwords that have nothing to do with dictionary words. I can't find anywhere in the documentation a break down of what makes an unacceptable versus acceptable password. Can anyone help me figure out what to tell my users? I think people would get a lot less frustrated if they knew why C679V375 was too simple when the password policy has 0 required classes. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ps: funny exchange with user: Jul 12 14:12:33 user1 i feel like im being punked Jul 12 14:12:40 user1 it is based on a dictionary word Jul 12 14:12:43 user1 it is too short Jul 12 14:12:49 user1 is does not have enough unique letters Jul 12 14:12:51 user1 etc ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users