Bug 1075092
| Summary: | Password change w/ OTP generates error on success | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Nathaniel McCallum <npmccallum> |
| Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Kaushik Banerjee <kbanerje> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.0 | CC: | dpal, enewland, grajaiya, jgalipea, lslebodn, mkosek, pbrezina, preichl, sbose |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.11.2-62.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 10:09:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is related to bug https://bugzilla.redhat.com/show_bug.cgi?id=1073631. Since we do not want to patch RHEL7.0 clients when we introduce central OTP support in 7.1 we want to fix this issue now. Without this we can't do password change from the RHEL7.0 clients against an OTP server. Upstream ticket: https://fedorahosted.org/sssd/ticket/2271 Marking as verified SanityOnly. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Works with kinit -T <ccache> <token.user>. In SSSD, the password change actually succeeds, but an error is generated ("Authentication token manipulation error"). Just a guess at the problem: password change succeeds, but krb5_child attempts to use the new password to immediately log in. Since this new password has no OTP on the end, acquiring the new token fails.