Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone

2013-03-11 Thread Sumit Bose
On Mon, Mar 11, 2013 at 01:21:26AM -0400, Tim Hildred wrote:
 It definately wasn't a policy problem. I couldn't even use ipa passwd as 
 admin from the command line, there was a connection error. The upgrade meant 
 my IPA server was straight borked. The solution? Revert to a previous 
 snapshot, and continue using the old, working IPA (2.0.0-23.el6_1.2). 

Maybe instead of trying to upgrade directly from 2.0 to 3.0 a step in
between like 2.0-2.1-3.0 would be better? To be on the safe side you
might want to include 2.2 as well in the upgrade path.

HTH

bye,
Sumit

 
 And I learned a valuable lesson: if it ain't broke, don't upgrade. 
 
 Tim Hildred, RHCE
 Content Author II - Engineering Content Services, Red Hat, Inc.
 Brisbane, Australia
 Email: thild...@redhat.com
 Internal: 8588287
 Mobile: +61 4 666 25242
 IRC: thildred
 
 - Original Message -
  From: Dmitri Pal d...@redhat.com
  To: freeipa-users@redhat.com
  Sent: Saturday, March 9, 2013 5:19:51 AM
  Subject: Re: [Freeipa-users] Upgraded, login + password webui auth and ssh 
  token manipulation gone
  
  
  On 03/07/2013 11:47 PM, Tim Hildred wrote:
  
  Hello,
  
  I have been using IPA for authentication with a RHEV environment.
  
  Quite a while ago, I got help from this list in making it so that my
  users could access the WebUI with their login and passwords, no
  Kerberos ticket required. I also had it working that when their
  passwords expired, they would ssh to the IPA server as themselves,
  get challenged for their current password, and then the opportunity
  to provide a new one.
  
  The update to ipa-server 3.0.0-25.el6 means that I can no longer log
  into the WebUI with just a login and password (see attached
  screenshot) and that users who try and update expired passwords get:
  
   You must change your password now and login again!
   Changing password for user juwu.
   Current Password:
   New password:
   Retype new password:
   Password change failed. Server message: Password not changed.
  It seems that password might have not matched the server policy.
  Have you tried different users and different passwords?
  
  What does kerberos log on the server show? It will give you some hint
  about the reason why the password was rejected.
  It might be that the password you are trying to use already in the
  history of passwords. AFAIR there was a bug that we did not handle
  history of passwords properly in some cases. Now as it is fixed you
  might see a proper policy enforcement.
  
  
  
  Insufficient access to perform requested operation while trying to
  change password.
   passwd: Authentication token manipulation error
   Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
  
  Can anyone help me restore that functionality? Please?
  
  Tim Hildred, RHCE
  Content Author II - Engineering Content Services, Red Hat, Inc.
  Brisbane, Australia
  Email: thild...@redhat.com Internal: 8588287
  Mobile: +61 4 666 25242
  IRC: thildred
  
  ___
  Freeipa-users mailing list Freeipa-users@redhat.com
  https://www.redhat.com/mailman/listinfo/freeipa-users
  
  --
  Thank you,
  Dmitri Pal
  
  Sr. Engineering Manager for IdM portfolio
  Red Hat Inc.
  
  
  ---
  Looking to carve out IT costs? www.redhat.com/carveoutcosts/
  ___
  Freeipa-users mailing list
  Freeipa-users@redhat.com
  https://www.redhat.com/mailman/listinfo/freeipa-users
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone

2013-03-10 Thread Tim Hildred
It definately wasn't a policy problem. I couldn't even use ipa passwd as admin 
from the command line, there was a connection error. The upgrade meant my IPA 
server was straight borked. The solution? Revert to a previous snapshot, and 
continue using the old, working IPA (2.0.0-23.el6_1.2). 

And I learned a valuable lesson: if it ain't broke, don't upgrade. 

Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

- Original Message -
 From: Dmitri Pal d...@redhat.com
 To: freeipa-users@redhat.com
 Sent: Saturday, March 9, 2013 5:19:51 AM
 Subject: Re: [Freeipa-users] Upgraded, login + password webui auth and ssh 
 token manipulation gone
 
 
 On 03/07/2013 11:47 PM, Tim Hildred wrote:
 
 Hello,
 
 I have been using IPA for authentication with a RHEV environment.
 
 Quite a while ago, I got help from this list in making it so that my
 users could access the WebUI with their login and passwords, no
 Kerberos ticket required. I also had it working that when their
 passwords expired, they would ssh to the IPA server as themselves,
 get challenged for their current password, and then the opportunity
 to provide a new one.
 
 The update to ipa-server 3.0.0-25.el6 means that I can no longer log
 into the WebUI with just a login and password (see attached
 screenshot) and that users who try and update expired passwords get:
 
  You must change your password now and login again!
  Changing password for user juwu.
  Current Password:
  New password:
  Retype new password:
  Password change failed. Server message: Password not changed.
 It seems that password might have not matched the server policy.
 Have you tried different users and different passwords?
 
 What does kerberos log on the server show? It will give you some hint
 about the reason why the password was rejected.
 It might be that the password you are trying to use already in the
 history of passwords. AFAIR there was a bug that we did not handle
 history of passwords properly in some cases. Now as it is fixed you
 might see a proper policy enforcement.
 
 
 
 Insufficient access to perform requested operation while trying to
 change password.
  passwd: Authentication token manipulation error
  Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
 
 Can anyone help me restore that functionality? Please?
 
 Tim Hildred, RHCE
 Content Author II - Engineering Content Services, Red Hat, Inc.
 Brisbane, Australia
 Email: thild...@redhat.com Internal: 8588287
 Mobile: +61 4 666 25242
 IRC: thildred
 
 ___
 Freeipa-users mailing list Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
 
 --
 Thank you,
 Dmitri Pal
 
 Sr. Engineering Manager for IdM portfolio
 Red Hat Inc.
 
 
 ---
 Looking to carve out IT costs? www.redhat.com/carveoutcosts/
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone

2013-03-08 Thread Dmitri Pal
On 03/07/2013 11:47 PM, Tim Hildred wrote:
 Hello,

 I have been using IPA for authentication with a RHEV environment. 

 Quite a while ago, I got help from this list in making it so that my users 
 could access the WebUI with their login and passwords, no Kerberos ticket 
 required. I also had it working that when their passwords expired, they would 
 ssh to the IPA server as themselves, get challenged for their current 
 password, and then the opportunity to provide a new one. 

 The update to ipa-server 3.0.0-25.el6 means that I can no longer log into the 
 WebUI with just a login and password (see attached screenshot) and that users 
 who try and update expired passwords get:

  You must change your password now and login again!
  Changing password for user juwu.
  Current Password: 
  New password: 
  Retype new password: 
  Password change failed. Server message: Password not changed.

It seems that password might have not matched the server policy.
Have you tried different users and different passwords?

What does kerberos log on the server show? It will give you some hint
about the reason why the password was rejected.
It might be that the password you are trying to use already in the
history of passwords. AFAIR there was a bug that we did not handle
history of passwords properly in some cases. Now as it is fixed you
might see a proper policy enforcement.

  Insufficient access to perform requested operation while trying to change 
 password.
  passwd: Authentication token manipulation error
  Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.

 Can anyone help me restore that functionality? Please?

 Tim Hildred, RHCE
 Content Author II - Engineering Content Services, Red Hat, Inc.
 Brisbane, Australia
 Email: thild...@redhat.com
 Internal: 8588287
 Mobile: +61 4 666 25242
 IRC: thildred



 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users