subject:"Re\: \[Freeipa\-users\] Mountain Lion GUI Login"

Re: [Freeipa-users] Mountain Lion GUI Login (Expired passwords / Mavericks too)

2014-03-13 Thread Jason Woods

Hi

>> 
>> I don't have OS X, but every time I create a new test user on linux and log
>> in to test it, I get bit by the fact that the passwd change always asks for
>> the existing password first, before asking for the new password. So I have
>> to enter the original password once to login, once to make passwd happy,
>> and then enter the new password. Are you sure the dialog box isn't asking
>> for the existing password first?
>> 
>> 
>> Robert
>> 
>> --
>> Senior Software Engineer @ Parsons
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> Well I still haven’t had any responses since that time.
> 
> I wish we could resolve this since it’s the only little bit remaining to have 
> a full FreeIPA integration.
> 

Yeh it's the only thing wrong for me.

To answer Robert's question though - the reset password is a pop up with an 
arrow to the login and the original password is still there - so I would assume 
so. Guessing this is gonna need deeper investigation though but I suspect it's 
more on the Apple side :-(

> BTW we also integrated sudo-ldap on our OSX machines. The only thing is that 
> you have to upgrade the sudo packages with this one.
> 
> sudo-1.8.9p3.pkg
> 
> and then:
> 
> installer -pkg /prod/sysadmin/darwin/software/sudo/sudo-1.8.9p3.pkg -target /
> mv /usr/bin/sudo /usr/bin/sudo.orig
> ln -s /usr/local/bin/sudo /usr/bin
> 
> then you modify sudo-ldap and nsswitch.conf same thing as on the linux boxes.
> 
> 
> 
> 
> -- 
> 
> 
> Davis Goodman
> Directeur Informatique  |  IT Manager
> 
> 5605 Avenue de Gaspé, Suite 408  |  Montréal, QC H2T 2A4 
> Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 
> 

Thanks for that! We've not got around to any sudo and not really needed but 
it's great to know it's certainly possible and fairly straightforward!

Jason___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Mountain Lion GUI Login (Expired passwords / Mavericks too)

2014-03-13 Thread Davis Goodman


-- Davis GoodmanDirecteur Informatique  |  IT Manager5605 Avenue de Gaspé, Suite 408  |  Montréal, QC H2T 2A4 Tél: +1 (514) 360-3253 x104    Cell: +1 (514) 994-7360 

On Mar 13, 2014, at 10:29 , Robert Story  wrote:On Thu, 13 Mar 2014 14:08:29 + Jason wrote:JW> Now if I create a new user in IPA. It will require a password change onJW> logon.JW> JW> When I logon on the Mac with this new user. The password box wigglesJW> and a box appears underneath it. "Reset your password". Saying I needJW> to set a new password. So I enter a new password and I verify it. ThenJW> I click "Reset Password" and it wiggle... no matter how many times IJW> try, it doesn't move on.I don't have OS X, but every time I create a new test user on linux and login to test it, I get bit by the fact that the passwd change always asks forthe existing password first, before asking for the new password. So I haveto enter the original password once to login, once to make passwd happy,and then enter the new password. Are you sure the dialog box isn't askingfor the existing password first?Robert--Senior Software Engineer @ Parsons___Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-usersWell I still haven’t had any responses since that time.I wish we could resolve this since it’s the only little bit remaining to have a full FreeIPA integration.BTW we also integrated sudo-ldap on our OSX machines. The only thing is that you have to upgrade the sudo packages with this one.sudo-1.8.9p3.pkgand then:installer -pkg /prod/sysadmin/darwin/software/sudo/sudo-1.8.9p3.pkg -target /mv /usr/bin/sudo /usr/bin/sudo.origln -s /usr/local/bin/sudo /usr/binthen you modify sudo-ldap and nsswitch.conf same thing as on the linux boxes.-- Davis GoodmanDirecteur Informatique  |  IT Manager5605 Avenue de Gaspé, Suite 408  |  Montréal, QC H2T 2A4 Tél: +1 (514) 360-3253 x104    Cell: +1 (514) 994-7360 ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Mountain Lion GUI Login (Expired passwords / Mavericks too)

2014-03-13 Thread Robert Story

On Thu, 13 Mar 2014 14:08:29 + Jason wrote:
JW> Now if I create a new user in IPA. It will require a password change on
JW> logon.
JW> 
JW> When I logon on the Mac with this new user. The password box wiggles
JW> and a box appears underneath it. "Reset your password". Saying I need
JW> to set a new password. So I enter a new password and I verify it. Then
JW> I click "Reset Password" and it wiggle... no matter how many times I
JW> try, it doesn't move on.

I don't have OS X, but every time I create a new test user on linux and log
in to test it, I get bit by the fact that the passwd change always asks for
the existing password first, before asking for the new password. So I have
to enter the original password once to login, once to make passwd happy,
and then enter the new password. Are you sure the dialog box isn't asking
for the existing password first?


Robert

--
Senior Software Engineer @ Parsons


signature.asc
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Mountain Lion GUI Login

2013-08-07 Thread Dmitri Pal

On 08/07/2013 05:33 PM, Davis Goodman wrote:
> This is basically the log when I attempt to change the password:
>
> Aug  7 16:59:19 mactestvm.mtl.dd.net SecurityAgent[271]: *** WARNING: 
> -[NSImage compositeToPoint:operation:fraction:] is deprecated in MacOSX 10.8 
> and later. Please use -[NSImage drawAtPoint:fromRect:operation:fraction:] 
> instead.
> Aug  7 16:59:19 mactestvm.mtl.dd.net SecurityAgent[271]: *** WARNING: 
> -[NSImage compositeToPoint:fromRect:operation:fraction:] is deprecated in 
> MacOSX 10.8 and later. Please use -[NSImage 
> drawAtPoint:fromRect:operation:fraction:] instead.
> Aug  7 16:59:26 mactestvm.mtl.dd.net SecurityAgent[271]: User info context 
> values set for testuser2
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Got user: testuser2
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Got ruser: (null)
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Got service: authorization
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Context initialised
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Stashing kcm credentials in enviroment for kcminit: 
> testuser2
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Got user: testuser2
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Got ruser: (null)
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Got service: authorization
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Context initialised
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Created principal: testuser2
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Done krb5_parse_name()
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Got principal: testus...@dd.net
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Got password
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Done getpwnam()
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Attempting to get forwardable TGT.
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: 
> krb5_sendto_context is called on main thread, its a blocking api
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Attempting to get non-forwardable TGT.
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Kerberos 5 error
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Error krb5_get_init_creds_password(): Password has 
> expired
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Done cleanup2
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Done cleanup3
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): Kerberos 5 refuses you
This is where it should behave differently.
It should treat this not as a failure but prompt for password change
when such error is returned.
I would check OSX forums on how to enable password change in UI

> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): pam_sm_authenticate: ntlm
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_authenticate(): OpenDirectory - The authtok is expired or requires 
> updating.
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800.
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
> pam_sm_acct_mgmt(): OpenDirectory - Password expired.
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: Failed to 
> authenticate user  (error: 10).
> Aug  7 16:59:43 mactestvm.mtl.dd.net WindowServer[97]: 3891612: App 
> SecurityAgent cannot order in untagged windows before login.
> Aug  7 16:59:43 mactestvm.mtl.dd.net SecurityAgent[271]: CGSOrderWindowList
>
> Does this rings a bell?
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Mountain Lion GUI Login

2013-08-07 Thread Davis Goodman

This is basically the log when I attempt to change the password:

Aug  7 16:59:19 mactestvm.mtl.dd.net SecurityAgent[271]: *** WARNING: -[NSImage 
compositeToPoint:operation:fraction:] is deprecated in MacOSX 10.8 and later. 
Please use -[NSImage drawAtPoint:fromRect:operation:fraction:] instead.
Aug  7 16:59:19 mactestvm.mtl.dd.net SecurityAgent[271]: *** WARNING: -[NSImage 
compositeToPoint:fromRect:operation:fraction:] is deprecated in MacOSX 10.8 and 
later. Please use -[NSImage drawAtPoint:fromRect:operation:fraction:] instead.
Aug  7 16:59:26 mactestvm.mtl.dd.net SecurityAgent[271]: User info context 
values set for testuser2
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Got user: testuser2
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Got ruser: (null)
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Got service: authorization
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Context initialised
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Stashing kcm credentials in enviroment for kcminit: 
testuser2
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Got user: testuser2
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Got ruser: (null)
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Got service: authorization
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Context initialised
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Created principal: testuser2
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Done krb5_parse_name()
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Got principal: testus...@dd.net
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Got password
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Done getpwnam()
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Attempting to get forwardable TGT.
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: 
krb5_sendto_context is called on main thread, its a blocking api
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Attempting to get non-forwardable TGT.
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Kerberos 5 error
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Error krb5_get_init_creds_password(): Password has 
expired
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Done cleanup2
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Done cleanup3
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): Kerberos 5 refuses you
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): pam_sm_authenticate: ntlm
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_authenticate(): OpenDirectory - The authtok is expired or requires 
updating.
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800.
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in 
pam_sm_acct_mgmt(): OpenDirectory - Password expired.
Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: Failed to 
authenticate user  (error: 10).
Aug  7 16:59:43 mactestvm.mtl.dd.net WindowServer[97]: 3891612: App 
SecurityAgent cannot order in untagged windows before login.
Aug  7 16:59:43 mactestvm.mtl.dd.net SecurityAgent[271]: CGSOrderWindowList

Does this rings a bell?

-- 

Davis Goodman
Directeur Informatique  |  IT Manager

5605 Avenue de Gaspé, Suite 408  |  Montréal, QC H2T 2A4 
Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 

On 2013-08-07, at 15:41 , Dmitri Pal  wrote:

> On 08/07/2013 10:27 AM, Davis Goodman wrote:
>> When I mention GUI I'm talking about the Mac OSX Login screen not through a 
>> browser
>> 
>> 
>> -- 
>> 
>> 
>> Davis Goodman
>> Directeur Informatique  |  IT Manager
>> 
>> 5605 Avenue de Gaspé, Suite 408  |  Montréal, QC H2T 2A4 
>> Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 
>> 
>> 
>> On 2013-08-07, at 10:07 , Rob Crittenden  wrote:
>> 
>>> Davis Goodman wrote:
 Hi Brian, Lynn,

 As far as Linux client, this is not my issue for now, I believe the Linux 
 setup is quite straight forward and the password change at first login 
 seems to work without an issue.

 My main concern is on Mountain Lion 10.8.x,

 At this point I've man

Re: [Freeipa-users] Mountain Lion GUI Login

2013-08-07 Thread Dmitri Pal

On 08/07/2013 10:27 AM, Davis Goodman wrote:
> When I mention GUI I'm talking about the Mac OSX Login screen not
> through a browser
>
>
> -- 
>
>
> Davis Goodman
> Directeur Informatique  |  IT Manager
>
> Digital-District 
>
> 5605 Avenue de Gaspé, Suite 408  |  Montréal, QC H2T 2A4 
> Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 
>
>
> On 2013-08-07, at 10:07 , Rob Crittenden  > wrote:
>
>> Davis Goodman wrote:
>>> Hi Brian, Lynn,
>>>
>>> As far as Linux client, this is not my issue for now, I believe the
>>> Linux setup is quite straight forward and the password change at
>>> first login seems to work without an issue.
>>>
>>> My main concern is on Mountain Lion 10.8.x,
>>>
>>> At this point I've managed to bind the OSX machine to the IPA server
>>> without any issue following this guide:
>>>
>>> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8
>>>
>>> I also have all the autmounts configured via LDAP using this:
>>> https://ssl.apple.com/business/docs/Autofs.pdf on page 16.
>>>
>>> My main issue right now seems to be at the GUI login. The applet
>>> shows up for password change but doesn't seem to do anything. When I
>>> press continue the applet comes back and this goes in a loop until I
>>> hit "Cancel".
>>>
>>> My IPA versions are as follows:
>>> ipa-admintools.x86_643.0.0-26.el6_4.4
>>> ipa-client.x86_643.0.0-26.el6_4.4
>>> ipa-gothic-fonts.noarch  003.02-4.2.el6
>>> ipa-mincho-fonts.noarch  003.02-3.1.el6
>>> ipa-pgothic-fonts.noarch 003.02-4.1.el6
>>> ipa-pmincho-fonts.noarch 003.02-3.1.el6
>>> ipa-python.x86_643.0.0-26.el6_4.4
>>> ipa-server.x86_643.0.0-26.el6_4.4
>>> ipa-server-selinux.x86_643.0.0-26.el6_4.4
>>> ipa-server-trust-ad.x86_64   3.0.0-26.el6_4.4
>>>
>>> As mentioned in my first post, if I make the password change at the
>>> terminal prompt, I am then able to login without a password change
>>> prompt.
>>>
>>> Not sure if I'll be able to go through this issue unless someone as
>>> already experienced this.
>>>
>>> Davis
>>
>> What browser are you using?
>>
>> Have you tried the GUI with a new user from a Linux client?
>>
>> I'm thinking this is a browser issue rather than something with OSX
>> as the majority of the work is done on the server.
>>
>> rob
>>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Not an expert on OSX.
I wonder whether the UI prompt supports password change workflow. May be
it does but needs to be explicitly enabled?
There should be some logs on the OSX that would indicate what is going
on when the server responds with the password change prompt.
I would suggest starting troubleshooting efforts there.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Mountain Lion GUI Login

2013-08-07 Thread Davis Goodman

When I mention GUI I'm talking about the Mac OSX Login screen not through a 
browser


-- 


Davis Goodman
Directeur Informatique  |  IT Manager

5605 Avenue de Gaspé, Suite 408  |  Montréal, QC H2T 2A4 
Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 


On 2013-08-07, at 10:07 , Rob Crittenden  wrote:

> Davis Goodman wrote:
>> Hi Brian, Lynn,
>> 
>> As far as Linux client, this is not my issue for now, I believe the Linux 
>> setup is quite straight forward and the password change at first login seems 
>> to work without an issue.
>> 
>> My main concern is on Mountain Lion 10.8.x,
>> 
>> At this point I've managed to bind the OSX machine to the IPA server without 
>> any issue following this guide:
>> 
>> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8
>> 
>> I also have all the autmounts configured via LDAP using this: 
>> https://ssl.apple.com/business/docs/Autofs.pdf on page 16.
>> 
>> My main issue right now seems to be at the GUI login. The applet shows up 
>> for password change but doesn't seem to do anything. When I press continue 
>> the applet comes back and this goes in a loop until I hit "Cancel".
>> 
>> My IPA versions are as follows:
>> ipa-admintools.x86_643.0.0-26.el6_4.4
>> ipa-client.x86_643.0.0-26.el6_4.4
>> ipa-gothic-fonts.noarch  003.02-4.2.el6
>> ipa-mincho-fonts.noarch  003.02-3.1.el6
>> ipa-pgothic-fonts.noarch 003.02-4.1.el6
>> ipa-pmincho-fonts.noarch 003.02-3.1.el6
>> ipa-python.x86_643.0.0-26.el6_4.4
>> ipa-server.x86_643.0.0-26.el6_4.4
>> ipa-server-selinux.x86_643.0.0-26.el6_4.4
>> ipa-server-trust-ad.x86_64   3.0.0-26.el6_4.4
>> 
>> As mentioned in my first post, if I make the password change at the terminal 
>> prompt, I am then able to login without a password change prompt.
>> 
>> Not sure if I'll be able to go through this issue unless someone as already 
>> experienced this.
>> 
>> Davis
> 
> What browser are you using?
> 
> Have you tried the GUI with a new user from a Linux client?
> 
> I'm thinking this is a browser issue rather than something with OSX as the 
> majority of the work is done on the server.
> 
> rob
> 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Mountain Lion GUI Login

2013-08-07 Thread Rob Crittenden


Davis Goodman wrote:

Hi Brian, Lynn,

As far as Linux client, this is not my issue for now, I believe the Linux setup 
is quite straight forward and the password change at first login seems to work 
without an issue.

My main concern is on Mountain Lion 10.8.x,

At this point I've managed to bind the OSX machine to the IPA server without 
any issue following this guide:

http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8

I also have all the autmounts configured via LDAP using this: 
https://ssl.apple.com/business/docs/Autofs.pdf on page 16.

My main issue right now seems to be at the GUI login. The applet shows up for password 
change but doesn't seem to do anything. When I press continue the applet comes back and 
this goes in a loop until I hit "Cancel".

My IPA versions are as follows:
ipa-admintools.x86_643.0.0-26.el6_4.4
ipa-client.x86_643.0.0-26.el6_4.4
ipa-gothic-fonts.noarch  003.02-4.2.el6
ipa-mincho-fonts.noarch  003.02-3.1.el6
ipa-pgothic-fonts.noarch 003.02-4.1.el6
ipa-pmincho-fonts.noarch 003.02-3.1.el6
ipa-python.x86_643.0.0-26.el6_4.4
ipa-server.x86_643.0.0-26.el6_4.4
ipa-server-selinux.x86_643.0.0-26.el6_4.4
ipa-server-trust-ad.x86_64   3.0.0-26.el6_4.4

As mentioned in my first post, if I make the password change at the terminal 
prompt, I am then able to login without a password change prompt.

Not sure if I'll be able to go through this issue unless someone as already 
experienced this.

Davis


What browser are you using?

Have you tried the GUI with a new user from a Linux client?

I'm thinking this is a browser issue rather than something with OSX as 
the majority of the work is done on the server.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Mountain Lion GUI Login

2013-08-07 Thread Davis Goodman

Hi Brian, Lynn,

As far as Linux client, this is not my issue for now, I believe the Linux setup 
is quite straight forward and the password change at first login seems to work 
without an issue.

My main concern is on Mountain Lion 10.8.x,

At this point I've managed to bind the OSX machine to the IPA server without 
any issue following this guide:

http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8

I also have all the autmounts configured via LDAP using this: 
https://ssl.apple.com/business/docs/Autofs.pdf on page 16.

My main issue right now seems to be at the GUI login. The applet shows up for 
password change but doesn't seem to do anything. When I press continue the 
applet comes back and this goes in a loop until I hit "Cancel".

My IPA versions are as follows:
ipa-admintools.x86_643.0.0-26.el6_4.4   
ipa-client.x86_643.0.0-26.el6_4.4  
ipa-gothic-fonts.noarch  003.02-4.2.el6 
ipa-mincho-fonts.noarch  003.02-3.1.el6
ipa-pgothic-fonts.noarch 003.02-4.1.el6 
   
ipa-pmincho-fonts.noarch 003.02-3.1.el6  
ipa-python.x86_643.0.0-26.el6_4.4  
ipa-server.x86_643.0.0-26.el6_4.4
ipa-server-selinux.x86_643.0.0-26.el6_4.4  
ipa-server-trust-ad.x86_64   3.0.0-26.el6_4.4  

As mentioned in my first post, if I make the password change at the terminal 
prompt, I am then able to login without a password change prompt.

Not sure if I'll be able to go through this issue unless someone as already 
experienced this.

Davis


-- 


Davis Goodman
Directeur Informatique  |  IT Manager

5605 Avenue de Gaspé, Suite 408  |  Montréal, QC H2T 2A4 
Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 


On 2013-08-07, at 9:29 , Brian Lee  wrote:

> Hi Lynn,
> 
> 
> I just checked this in my lab setup:
> 
> - Set up a new user on the FreeIPA server as 'ipatest'. 
> 
> - Logged in to a Linux client configured for FreeIPA, it prompted me to 
> change my password. 
> 
> - Successfully changed my password for ipatest. Verified this on another 
> machine.
> 
> - Furthermore, I reset the "Password Policy" min lifetime to 0 and typed 
> passwd on one of the ipa clients while logged in as ipatest. This worked 
> without issue.
> 
> I also have FreeIPA set up in the lab with a domain trust to a 2008 R2 AD 
> server, so I checked to see if the results would be the same.
> 
> - Logged in to FreeIPA client machine as the AD user.
> 
> - Typed passwd, and successfully reset my password. Verified the change in 
> Windows as well as another IPA client.
> 
> All Linux systems in this test are running CentOS 6.4 x86_64
> FreeIPA server is running ipa-server-3.0.0-26.el6_4.4.x86_64
> FreeIPA clients are running ipa-client-3.0.0-26.el6_4.4.x86_64
> AD Server is running Windows 2008 R2
> 
> This won't necessarily help with the OS X problem, but maybe it assists with 
> how it's working on Linux.
> 
> Thanks,
> Brian
> 
> 
> 
> On Tue, Aug 6, 2013 at 8:25 PM, Lynn Root  wrote:
> 
> On Aug 6, 2013, at 4:14 PM, KodaK  wrote:
> 
> > On Tue, Aug 6, 2013 at 4:31 PM, Davis Goodman
> >  wrote:
> >> Hi,
> >>
> >> I have an FreeIPA server configured, managed to configure a Mountain Lion 
> >> Client for automounts and user logins.
> >>
> >> My issue is that whenever I first login with a user the "New Password" box 
> >> shows up and even if I try to change the password the box keeps 
> >> reappearing without any success.
> >>
> >> If I log onto the machine with the local admin user and try to get a 
> >> ticket for this user I get a "New Password" prompt. From there I can 
> >> change the password and I get a ticket without an issue. After that I can 
> >> login through the GUI without being asked for a new password.
> >>
> >> Anyone has seen this behaviour before?
> >
> > That's the expected behavior.  When you set the user's password as an
> > admin, it sets the "force a password change" flag.
> 
> Correct me if I'm wrong, but it's not expect to *not* be able to change the 
> password on an IPA client after the initial setup, and be forced to use the 
> IPA Server to re-set the password.  Granted, the client is OSX.
> 
> However, I personally have experience the inability to change a new user's 
> password on an IPA client, and only on the IPA Server.  Unfortunately, I've 
> been trying to reproduce this and I can not. I've tried on Fedora 19, and 
> will try on RHEL next.
> 
> Davis - Can you let me know your IPA Server and IPA Client versions? As well 
> as the OS that the IPA Server is on?
> 
> Also, out of curiosity, do you have directions on how you set up the client 
> on Mac OSX?
> 
> Thanks!
> 
> Lynn Root
> 
> 
> 
> Lynn Root
> @roguelynn
> Associate Software Engineer
> 
> 
> 
> ___

Re: [Freeipa-users] Mountain Lion GUI Login

2013-08-07 Thread Brian Lee

Hi Lynn,


I just checked this in my lab setup:

- Set up a new user on the FreeIPA server as 'ipatest'.

- Logged in to a Linux client configured for FreeIPA, it prompted me to
change my password.

- Successfully changed my password for ipatest. Verified this on another
machine.

- Furthermore, I reset the "Password Policy" min lifetime to 0 and typed
passwd on one of the ipa clients while logged in as ipatest. This worked
without issue.

I also have FreeIPA set up in the lab with a domain trust to a 2008 R2 AD
server, so I checked to see if the results would be the same.

- Logged in to FreeIPA client machine as the AD user.

- Typed passwd, and successfully reset my password. Verified the change in
Windows as well as another IPA client.

All Linux systems in this test are running CentOS 6.4 x86_64
FreeIPA server is running ipa-server-3.0.0-26.el6_4.4.x86_64
FreeIPA clients are running ipa-client-3.0.0-26.el6_4.4.x86_64
AD Server is running Windows 2008 R2

This won't necessarily help with the OS X problem, but maybe it assists
with how it's working on Linux.

Thanks,
Brian



On Tue, Aug 6, 2013 at 8:25 PM, Lynn Root  wrote:

>
> On Aug 6, 2013, at 4:14 PM, KodaK  wrote:
>
> > On Tue, Aug 6, 2013 at 4:31 PM, Davis Goodman
> >  wrote:
> >> Hi,
> >>
> >> I have an FreeIPA server configured, managed to configure a Mountain
> Lion Client for automounts and user logins.
> >>
> >> My issue is that whenever I first login with a user the "New Password"
> box shows up and even if I try to change the password the box keeps
> reappearing without any success.
> >>
> >> If I log onto the machine with the local admin user and try to get a
> ticket for this user I get a "New Password" prompt. From there I can change
> the password and I get a ticket without an issue. After that I can login
> through the GUI without being asked for a new password.
> >>
> >> Anyone has seen this behaviour before?
> >
> > That's the expected behavior.  When you set the user's password as an
> > admin, it sets the "force a password change" flag.
>
> Correct me if I'm wrong, but it's not expect to *not* be able to change
> the password on an IPA client after the initial setup, and be forced to use
> the IPA Server to re-set the password.  Granted, the client is OSX.
>
> However, I personally have experience the inability to change a new user's
> password on an IPA client, and only on the IPA Server.  Unfortunately, I've
> been trying to reproduce this and I can not. I've tried on Fedora 19, and
> will try on RHEL next.
>
> Davis - Can you let me know your IPA Server and IPA Client versions? As
> well as the OS that the IPA Server is on?
>
> Also, out of curiosity, do you have directions on how you set up the
> client on Mac OSX?
>
> Thanks!
>
> Lynn Root
>
>
>
> Lynn Root
> @roguelynn
> Associate Software Engineer
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Mountain Lion GUI Login

2013-08-06 Thread Lynn Root

On Aug 6, 2013, at 4:14 PM, KodaK  wrote:

> On Tue, Aug 6, 2013 at 4:31 PM, Davis Goodman
>  wrote:
>> Hi,
>> 
>> I have an FreeIPA server configured, managed to configure a Mountain Lion 
>> Client for automounts and user logins.
>> 
>> My issue is that whenever I first login with a user the "New Password" box 
>> shows up and even if I try to change the password the box keeps reappearing 
>> without any success.
>> 
>> If I log onto the machine with the local admin user and try to get a ticket 
>> for this user I get a "New Password" prompt. From there I can change the 
>> password and I get a ticket without an issue. After that I can login through 
>> the GUI without being asked for a new password.
>> 
>> Anyone has seen this behaviour before?
> 
> That's the expected behavior.  When you set the user's password as an
> admin, it sets the "force a password change" flag.

Correct me if I'm wrong, but it's not expect to *not* be able to change the 
password on an IPA client after the initial setup, and be forced to use the IPA 
Server to re-set the password.  Granted, the client is OSX.

However, I personally have experience the inability to change a new user's 
password on an IPA client, and only on the IPA Server.  Unfortunately, I've 
been trying to reproduce this and I can not. I've tried on Fedora 19, and will 
try on RHEL next. 

Davis - Can you let me know your IPA Server and IPA Client versions? As well as 
the OS that the IPA Server is on?

Also, out of curiosity, do you have directions on how you set up the client on 
Mac OSX?

Thanks!

Lynn Root

Lynn Root
@roguelynn
Associate Software Engineer

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Mountain Lion GUI Login

2013-08-06 Thread KodaK

On Tue, Aug 6, 2013 at 4:31 PM, Davis Goodman
 wrote:
> Hi,
>
> I have an FreeIPA server configured, managed to configure a Mountain Lion 
> Client for automounts and user logins.
>
> My issue is that whenever I first login with a user the "New Password" box 
> shows up and even if I try to change the password the box keeps reappearing 
> without any success.
>
> If I log onto the machine with the local admin user and try to get a ticket 
> for this user I get a "New Password" prompt. From there I can change the 
> password and I get a ticket without an issue. After that I can login through 
> the GUI without being asked for a new password.
>
> Anyone has seen this behaviour before?

That's the expected behavior.  When you set the user's password as an
admin, it sets the "force a password change" flag.

I don't know anything aobut OSX, but there may be a way to configure
the login GUI to deal with the password change correctly.

Failing that, you can use a web based password change utility and let
users do self service, or if you don't want that you can set up a
special password administrator you can use that when it sets passwords
it doesn't force a change (bad idea.)

For setting up either, you need to do this:

http://www.freeipa.org/page/PasswordSynchronization

for the password change user.

This is the web based password change utility I chose to use, but
there are others -- or you can roll your own:

http://ltb-project.org/wiki/documentation/self-service-password

--Jason

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Mountain Lion GUI Login (Expired passwords / Mavericks too)

Re: [Freeipa-users] Mountain Lion GUI Login (Expired passwords / Mavericks too)

Re: [Freeipa-users] Mountain Lion GUI Login (Expired passwords / Mavericks too)

Re: [Freeipa-users] Mountain Lion GUI Login

Re: [Freeipa-users] Mountain Lion GUI Login

Re: [Freeipa-users] Mountain Lion GUI Login

Re: [Freeipa-users] Mountain Lion GUI Login

Re: [Freeipa-users] Mountain Lion GUI Login

Re: [Freeipa-users] Mountain Lion GUI Login

Re: [Freeipa-users] Mountain Lion GUI Login

Re: [Freeipa-users] Mountain Lion GUI Login

Re: [Freeipa-users] Mountain Lion GUI Login

12 matches

Site Navigation

Mail list logo

Footer information