On Mon, Mar 11, 2013 at 01:21:26AM -0400, Tim Hildred wrote:
It definately wasn't a policy problem. I couldn't even use ipa passwd as
admin from the command line, there was a connection error. The upgrade meant
my IPA server was straight borked. The solution? Revert to a previous
snapshot, and continue using the old, working IPA (2.0.0-23.el6_1.2).
Maybe instead of trying to upgrade directly from 2.0 to 3.0 a step in
between like 2.0-2.1-3.0 would be better? To be on the safe side you
might want to include 2.2 as well in the upgrade path.
HTH
bye,
Sumit
And I learned a valuable lesson: if it ain't broke, don't upgrade.
Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred
- Original Message -
From: Dmitri Pal d...@redhat.com
To: freeipa-users@redhat.com
Sent: Saturday, March 9, 2013 5:19:51 AM
Subject: Re: [Freeipa-users] Upgraded, login + password webui auth and ssh
token manipulation gone
On 03/07/2013 11:47 PM, Tim Hildred wrote:
Hello,
I have been using IPA for authentication with a RHEV environment.
Quite a while ago, I got help from this list in making it so that my
users could access the WebUI with their login and passwords, no
Kerberos ticket required. I also had it working that when their
passwords expired, they would ssh to the IPA server as themselves,
get challenged for their current password, and then the opportunity
to provide a new one.
The update to ipa-server 3.0.0-25.el6 means that I can no longer log
into the WebUI with just a login and password (see attached
screenshot) and that users who try and update expired passwords get:
You must change your password now and login again!
Changing password for user juwu.
Current Password:
New password:
Retype new password:
Password change failed. Server message: Password not changed.
It seems that password might have not matched the server policy.
Have you tried different users and different passwords?
What does kerberos log on the server show? It will give you some hint
about the reason why the password was rejected.
It might be that the password you are trying to use already in the
history of passwords. AFAIR there was a bug that we did not handle
history of passwords properly in some cases. Now as it is fixed you
might see a proper policy enforcement.
Insufficient access to perform requested operation while trying to
change password.
passwd: Authentication token manipulation error
Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
Can anyone help me restore that functionality? Please?
Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred
___
Freeipa-users mailing list Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
---
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users