Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone
Tim Hildred wrote: It definately wasn't a policy problem. I couldn't even use ipa passwd as admin from the command line, there was a connection error. The upgrade meant my IPA server was straight borked. The solution? Revert to a previous snapshot, and continue using the old, working IPA (2.0.0-23.el6_1.2). And I learned a valuable lesson: if it ain't broke, don't upgrade. Sorry that you had problems with the upgrade. We'd be happy to work with you to try to figure out where things went sideways. Others would likely benefit from this work too. rob Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred - Original Message - From: "Dmitri Pal" To: freeipa-users@redhat.com Sent: Saturday, March 9, 2013 5:19:51 AM Subject: Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone On 03/07/2013 11:47 PM, Tim Hildred wrote: Hello, I have been using IPA for authentication with a RHEV environment. Quite a while ago, I got help from this list in making it so that my users could access the WebUI with their login and passwords, no Kerberos ticket required. I also had it working that when their passwords expired, they would ssh to the IPA server as themselves, get challenged for their current password, and then the opportunity to provide a new one. The update to ipa-server 3.0.0-25.el6 means that I can no longer log into the WebUI with just a login and password (see attached screenshot) and that users who try and update expired passwords get: You must change your password now and login again! Changing password for user juwu. Current Password: New password: Retype new password: Password change failed. Server message: Password not changed. It seems that password might have not matched the server policy. Have you tried different users and different passwords? What does kerberos log on the server show? It will give you some hint about the reason why the password was rejected. It might be that the password you are trying to use already in the history of passwords. AFAIR there was a bug that we did not handle history of passwords properly in some cases. Now as it is fixed you might see a proper policy enforcement. Insufficient access to perform requested operation while trying to change password. passwd: Authentication token manipulation error Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. Can anyone help me restore that functionality? Please? Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone
On Mon, Mar 11, 2013 at 01:21:26AM -0400, Tim Hildred wrote: > It definately wasn't a policy problem. I couldn't even use ipa passwd as > admin from the command line, there was a connection error. The upgrade meant > my IPA server was straight borked. The solution? Revert to a previous > snapshot, and continue using the old, working IPA (2.0.0-23.el6_1.2). Maybe instead of trying to upgrade directly from 2.0 to 3.0 a step in between like 2.0->2.1->3.0 would be better? To be on the safe side you might want to include 2.2 as well in the upgrade path. HTH bye, Sumit > > And I learned a valuable lesson: if it ain't broke, don't upgrade. > > Tim Hildred, RHCE > Content Author II - Engineering Content Services, Red Hat, Inc. > Brisbane, Australia > Email: thild...@redhat.com > Internal: 8588287 > Mobile: +61 4 666 25242 > IRC: thildred > > - Original Message - > > From: "Dmitri Pal" > > To: freeipa-users@redhat.com > > Sent: Saturday, March 9, 2013 5:19:51 AM > > Subject: Re: [Freeipa-users] Upgraded, login + password webui auth and ssh > > token manipulation gone > > > > > > On 03/07/2013 11:47 PM, Tim Hildred wrote: > > > > Hello, > > > > I have been using IPA for authentication with a RHEV environment. > > > > Quite a while ago, I got help from this list in making it so that my > > users could access the WebUI with their login and passwords, no > > Kerberos ticket required. I also had it working that when their > > passwords expired, they would ssh to the IPA server as themselves, > > get challenged for their current password, and then the opportunity > > to provide a new one. > > > > The update to ipa-server 3.0.0-25.el6 means that I can no longer log > > into the WebUI with just a login and password (see attached > > screenshot) and that users who try and update expired passwords get: > > > > You must change your password now and login again! > > Changing password for user juwu. > > Current Password: > > New password: > > Retype new password: > > Password change failed. Server message: Password not changed. > > It seems that password might have not matched the server policy. > > Have you tried different users and different passwords? > > > > What does kerberos log on the server show? It will give you some hint > > about the reason why the password was rejected. > > It might be that the password you are trying to use already in the > > history of passwords. AFAIR there was a bug that we did not handle > > history of passwords properly in some cases. Now as it is fixed you > > might see a proper policy enforcement. > > > > > > > > Insufficient access to perform requested operation while trying to > > change password. > > passwd: Authentication token manipulation error > > Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. > > > > Can anyone help me restore that functionality? Please? > > > > Tim Hildred, RHCE > > Content Author II - Engineering Content Services, Red Hat, Inc. > > Brisbane, Australia > > Email: thild...@redhat.com Internal: 8588287 > > Mobile: +61 4 666 25242 > > IRC: thildred > > > > ___ > > Freeipa-users mailing list Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager for IdM portfolio > > Red Hat Inc. > > > > > > --- > > Looking to carve out IT costs? www.redhat.com/carveoutcosts/ > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone
It definately wasn't a policy problem. I couldn't even use ipa passwd as admin from the command line, there was a connection error. The upgrade meant my IPA server was straight borked. The solution? Revert to a previous snapshot, and continue using the old, working IPA (2.0.0-23.el6_1.2). And I learned a valuable lesson: if it ain't broke, don't upgrade. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred - Original Message - > From: "Dmitri Pal" > To: freeipa-users@redhat.com > Sent: Saturday, March 9, 2013 5:19:51 AM > Subject: Re: [Freeipa-users] Upgraded, login + password webui auth and ssh > token manipulation gone > > > On 03/07/2013 11:47 PM, Tim Hildred wrote: > > Hello, > > I have been using IPA for authentication with a RHEV environment. > > Quite a while ago, I got help from this list in making it so that my > users could access the WebUI with their login and passwords, no > Kerberos ticket required. I also had it working that when their > passwords expired, they would ssh to the IPA server as themselves, > get challenged for their current password, and then the opportunity > to provide a new one. > > The update to ipa-server 3.0.0-25.el6 means that I can no longer log > into the WebUI with just a login and password (see attached > screenshot) and that users who try and update expired passwords get: > > You must change your password now and login again! > Changing password for user juwu. > Current Password: > New password: > Retype new password: > Password change failed. Server message: Password not changed. > It seems that password might have not matched the server policy. > Have you tried different users and different passwords? > > What does kerberos log on the server show? It will give you some hint > about the reason why the password was rejected. > It might be that the password you are trying to use already in the > history of passwords. AFAIR there was a bug that we did not handle > history of passwords properly in some cases. Now as it is fixed you > might see a proper policy enforcement. > > > > Insufficient access to perform requested operation while trying to > change password. > passwd: Authentication token manipulation error > Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. > > Can anyone help me restore that functionality? Please? > > Tim Hildred, RHCE > Content Author II - Engineering Content Services, Red Hat, Inc. > Brisbane, Australia > Email: thild...@redhat.com Internal: 8588287 > Mobile: +61 4 666 25242 > IRC: thildred > > ___ > Freeipa-users mailing list Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > --- > Looking to carve out IT costs? www.redhat.com/carveoutcosts/ > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone
On 03/07/2013 11:47 PM, Tim Hildred wrote: > Hello, > > I have been using IPA for authentication with a RHEV environment. > > Quite a while ago, I got help from this list in making it so that my users > could access the WebUI with their login and passwords, no Kerberos ticket > required. I also had it working that when their passwords expired, they would > ssh to the IPA server as themselves, get challenged for their current > password, and then the opportunity to provide a new one. > > The update to ipa-server 3.0.0-25.el6 means that I can no longer log into the > WebUI with just a login and password (see attached screenshot) and that users > who try and update expired passwords get: > > You must change your password now and login again! > Changing password for user juwu. > Current Password: > New password: > Retype new password: > Password change failed. Server message: Password not changed. It seems that password might have not matched the server policy. Have you tried different users and different passwords? What does kerberos log on the server show? It will give you some hint about the reason why the password was rejected. It might be that the password you are trying to use already in the history of passwords. AFAIR there was a bug that we did not handle history of passwords properly in some cases. Now as it is fixed you might see a proper policy enforcement. > Insufficient access to perform requested operation while trying to change > password. > passwd: Authentication token manipulation error > Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. > > Can anyone help me restore that functionality? Please? > > Tim Hildred, RHCE > Content Author II - Engineering Content Services, Red Hat, Inc. > Brisbane, Australia > Email: thild...@redhat.com > Internal: 8588287 > Mobile: +61 4 666 25242 > IRC: thildred > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone
Hello, I have been using IPA for authentication with a RHEV environment. Quite a while ago, I got help from this list in making it so that my users could access the WebUI with their login and passwords, no Kerberos ticket required. I also had it working that when their passwords expired, they would ssh to the IPA server as themselves, get challenged for their current password, and then the opportunity to provide a new one. The update to ipa-server 3.0.0-25.el6 means that I can no longer log into the WebUI with just a login and password (see attached screenshot) and that users who try and update expired passwords get: You must change your password now and login again! Changing password for user juwu. Current Password: New password: Retype new password: Password change failed. Server message: Password not changed. Insufficient access to perform requested operation while trying to change password. passwd: Authentication token manipulation error Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. Can anyone help me restore that functionality? Please? Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred <>___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
