Re: [Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords
On 03/22/2011 09:54 AM, Dmitri Pal wrote:
> On 03/22/2011 06:11 AM, Andy Singleton wrote:
>> Hello,
>>
>>
>>
>> I am trying to install a rhel6 machine with the ipa-1.2.2 client.
>>
>> Everything appears to work fine, with the exception of updating users
>> passwords from the client.
>>
>>
>>
>> >From the user perspective, I get this:
>>
>>
>>
>> Changing password for user andytest.
>>
>> Kerberos 5 Password:
>>
>> New password:
>>
>> Retype new password:
>>
>> passwd: Authentication token manipulation error
>>
>>
>>
>> >From the local secure log, I see this:
>>
>>
>>
>> Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
>> "andytest" does not exist in /etc/passwd
>>
>> Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
>> "andytest" does not exist in /etc/passwd
>>
>> Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change
>> failed for andyt...@live.tipp24.net: Cannot contact any KDC for
>> requested realm
>>
>>
>>
>> There are no local or network firewalls between the client and the IPA
>> server, and every other piece of IPA functionality appears to work fine.
>>
>>
>>
>> On the IPA server itself, I see this in krb5kdc:
>>
>> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth
>> type found: Success
>>
>> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
>> 17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andyt...@live.tipp24.net for
>> kadmin/chang...@live.tipp24.net, Preauthentication failed
>>
>> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
>> 17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andyt...@live.tipp24.net for
>> kadmin/chang...@live.tipp24.net, Additional pre-authentication required
>>
>> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
>> 17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18
>> tkt=18 ses=18}, andyt...@live.tipp24.net for
>> kadmin/chang...@live.tipp24.net
>>
>>
>>
>> nsswitch.conf has the usual stuff:
>>
>>
>>
>> passwd: files ldap
>>
>> shadow: files ldap
>>
>> group: files ldap
>>
>>
>>
>> I'm not sure what else to check.
>>
>>
>>
>> Andy
>>
>>
>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> Sorry, clicked the send button before typed anything.
> It looks like this is the result of the OID fix we made some time ago.
> We recommend using ipa-client 2.0 with the latest IPA.
> The client in RHEL 6.0 has the bug related to password change that
> prevents it to work with IPA v2.
> There is no fix for 6.0 yet and since ipa-client in RHEL 6.0 is in tech
> preview there is no plan to release any asynch errata for it.
> RHEL 6.1 will carry the right version of ipa-client.
> We might be able to build an upstream version of the ipa-client for RHEL
> but not sooner we release the 2.0 (any time now...).
>
>
Please ignore my reply.
Mixed the two issues on the list.
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords
On Tue, Mar 22, 2011 at 10:11:47AM -, Andy Singleton wrote: >I am trying to install a rhel6 machine with the ipa-1.2.2 client. > >Everything appears to work fine, with the exception of updating users >passwords from the client. Does running kpasswd instead of passwd work? The pam_krb5 module exercises a different code path in the client than kpasswd and sssd use, which I think could be sending ipa-kpasswdd a request it doesn't understand. If it does, then you're running into #676526. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords
Yes ipa_kpasswd is running.
I have some additional information: kpasswd on the client does work,
passwd does not.
This is fine, except when a user attempts to connect when they need a
password reset - They get prompted to change it, but then the same error
as before occurs.
Andy
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Tuesday, March 22, 2011 1:45 PM
To: Andy Singleton
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user
passwords
Andy Singleton wrote:
> Hello,
>
> I am trying to install a rhel6 machine with the ipa-1.2.2 client.
>
> Everything appears to work fine, with the exception of updating users
> passwords from the client.
>
> From the user perspective, I get this:
>
> /Changing password for user andytest./
>
> /Kerberos 5 Password: /
>
> /New password: /
>
> /Retype new password: /
>
> /passwd: Authentication token manipulation error/
>
> From the local secure log, I see this:
>
> /Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
> "andytest" does not exist in /etc/passwd/
>
> /Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
> "andytest" does not exist in /etc/passwd/
>
> /Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change
> failed for andyt...@live.tipp24.net: Cannot contact any KDC for
> requested realm/
>
> There are no local or network firewalls between the client and the IPA
> server, and every other piece of IPA functionality appears to work
fine.
>
> On the IPA server itself, I see this in krb5kdc:
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth
> type found: Success
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes
{18
> 17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andyt...@live.tipp24.net for
> kadmin/chang...@live.tipp24.net, Preauthentication failed
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes
{18
> 17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andyt...@live.tipp24.net for
> kadmin/chang...@live.tipp24.net, Additional pre-authentication
required
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes
{18
> 17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18
> tkt=18 ses=18}, andyt...@live.tipp24.net for
> kadmin/chang...@live.tipp24.net
<mailto:kadmin/chang...@live.tipp24.net>
>
> nsswitch.conf has the usual stuff:
>
> /passwd: files ldap/
>
> /shadow: files ldap/
>
> /group: files ldap/
>
> I'm not sure what else to check.
>
> Andy
Is ipa_kpasswd running on the IPA server?
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords
On 03/22/2011 06:11 AM, Andy Singleton wrote:
> Hello,
>
>
>
> I am trying to install a rhel6 machine with the ipa-1.2.2 client.
>
> Everything appears to work fine, with the exception of updating users
> passwords from the client.
>
>
>
> >From the user perspective, I get this:
>
>
>
> Changing password for user andytest.
>
> Kerberos 5 Password:
>
> New password:
>
> Retype new password:
>
> passwd: Authentication token manipulation error
>
>
>
> >From the local secure log, I see this:
>
>
>
> Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
> "andytest" does not exist in /etc/passwd
>
> Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
> "andytest" does not exist in /etc/passwd
>
> Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change
> failed for andyt...@live.tipp24.net: Cannot contact any KDC for
> requested realm
>
>
>
> There are no local or network firewalls between the client and the IPA
> server, and every other piece of IPA functionality appears to work fine.
>
>
>
> On the IPA server itself, I see this in krb5kdc:
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth
> type found: Success
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
> 17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andyt...@live.tipp24.net for
> kadmin/chang...@live.tipp24.net, Preauthentication failed
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
> 17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andyt...@live.tipp24.net for
> kadmin/chang...@live.tipp24.net, Additional pre-authentication required
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
> 17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18
> tkt=18 ses=18}, andyt...@live.tipp24.net for
> kadmin/chang...@live.tipp24.net
>
>
>
> nsswitch.conf has the usual stuff:
>
>
>
> passwd: files ldap
>
> shadow: files ldap
>
> group: files ldap
>
>
>
> I'm not sure what else to check.
>
>
>
> Andy
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Sorry, clicked the send button before typed anything.
It looks like this is the result of the OID fix we made some time ago.
We recommend using ipa-client 2.0 with the latest IPA.
The client in RHEL 6.0 has the bug related to password change that
prevents it to work with IPA v2.
There is no fix for 6.0 yet and since ipa-client in RHEL 6.0 is in tech
preview there is no plan to release any asynch errata for it.
RHEL 6.1 will carry the right version of ipa-client.
We might be able to build an upstream version of the ipa-client for RHEL
but not sooner we release the 2.0 (any time now...).
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords
Andy Singleton wrote:
Hello,
I am trying to install a rhel6 machine with the ipa-1.2.2 client.
Everything appears to work fine, with the exception of updating users
passwords from the client.
From the user perspective, I get this:
/Changing password for user andytest./
/Kerberos 5 Password: /
/New password: /
/Retype new password: /
/passwd: Authentication token manipulation error/
From the local secure log, I see this:
/Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
"andytest" does not exist in /etc/passwd/
/Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
"andytest" does not exist in /etc/passwd/
/Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change
failed for andyt...@live.tipp24.net: Cannot contact any KDC for
requested realm/
There are no local or network firewalls between the client and the IPA
server, and every other piece of IPA functionality appears to work fine.
On the IPA server itself, I see this in krb5kdc:
Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth
type found: Success
Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andyt...@live.tipp24.net for
kadmin/chang...@live.tipp24.net, Preauthentication failed
Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andyt...@live.tipp24.net for
kadmin/chang...@live.tipp24.net, Additional pre-authentication required
Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18
tkt=18 ses=18}, andyt...@live.tipp24.net for
kadmin/chang...@live.tipp24.net
nsswitch.conf has the usual stuff:
/passwd: files ldap/
/shadow: files ldap/
/group: files ldap/
I’m not sure what else to check.
Andy
Is ipa_kpasswd running on the IPA server?
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords
On 03/22/2011 06:11 AM, Andy Singleton wrote:
> Hello,
>
>
>
> I am trying to install a rhel6 machine with the ipa-1.2.2 client.
>
> Everything appears to work fine, with the exception of updating users
> passwords from the client.
>
>
>
> >From the user perspective, I get this:
>
>
>
> Changing password for user andytest.
>
> Kerberos 5 Password:
>
> New password:
>
> Retype new password:
>
> passwd: Authentication token manipulation error
>
>
>
> >From the local secure log, I see this:
>
>
>
> Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
> "andytest" does not exist in /etc/passwd
>
> Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
> "andytest" does not exist in /etc/passwd
>
> Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change
> failed for andyt...@live.tipp24.net: Cannot contact any KDC for
> requested realm
>
>
>
> There are no local or network firewalls between the client and the IPA
> server, and every other piece of IPA functionality appears to work fine.
>
>
>
> On the IPA server itself, I see this in krb5kdc:
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth
> type found: Success
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
> 17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andyt...@live.tipp24.net for
> kadmin/chang...@live.tipp24.net, Preauthentication failed
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
> 17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andyt...@live.tipp24.net for
> kadmin/chang...@live.tipp24.net, Additional pre-authentication required
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
> 17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18
> tkt=18 ses=18}, andyt...@live.tipp24.net for
> kadmin/chang...@live.tipp24.net
>
>
>
> nsswitch.conf has the usual stuff:
>
>
>
> passwd: files ldap
>
> shadow: files ldap
>
> group: files ldap
>
>
>
> I'm not sure what else to check.
>
>
>
> Andy
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords
Hello,
I am trying to install a rhel6 machine with the ipa-1.2.2 client.
Everything appears to work fine, with the exception of updating users
passwords from the client.
>From the user perspective, I get this:
Changing password for user andytest.
Kerberos 5 Password:
New password:
Retype new password:
passwd: Authentication token manipulation error
>From the local secure log, I see this:
Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
"andytest" does not exist in /etc/passwd
Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
"andytest" does not exist in /etc/passwd
Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change
failed for andyt...@live.tipp24.net: Cannot contact any KDC for
requested realm
There are no local or network firewalls between the client and the IPA
server, and every other piece of IPA functionality appears to work fine.
On the IPA server itself, I see this in krb5kdc:
Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth
type found: Success
Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andyt...@live.tipp24.net for
kadmin/chang...@live.tipp24.net, Preauthentication failed
Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andyt...@live.tipp24.net for
kadmin/chang...@live.tipp24.net, Additional pre-authentication required
Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18
tkt=18 ses=18}, andyt...@live.tipp24.net for
kadmin/chang...@live.tipp24.net
nsswitch.conf has the usual stuff:
passwd: files ldap
shadow: files ldap
group: files ldap
I'm not sure what else to check.
Andy
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
