Bug 444624

Summary: Kpasswd unable to proxy password change requests
Product: [Retired] freeIPA Reporter: Brian Harrington <bharrington>
Component: ipa-serverAssignee: Rob Crittenden <rcritten>
Status: CLOSED RAWHIDE QA Contact: Chandrasekar Kannan <ckannan>
Severity: low Docs Contact:
Priority: low    
Version: 1.0CC: benl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-08 21:03:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 429034    

Description Brian Harrington 2008-04-29 16:01:46 UTC 
Description of problem:

When attempting to change a password kpasswd fails.

Version-Release number of selected component (if applicable):
ipa-server-1.0.0-4.fc9.i386

How reproducible:
100% Reproducable


Steps to Reproduce:
1.  Create user with ipa-adduser utility.
2.  Attempt to log in with new user via SSH.
3.  Enter kerberos password.
4.  Attempt to change "SSH" password.
5.  Check /var/log/messages for errors.

  
Actual results:
Client:
-------
[bharrington@berstuk ~]$ ssh castor.alticon.net
bharrington.net's password: 
Warning: password has expired.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user bharrington.
Kerberos 5 Password: 
New UNIX password: 
Retype new UNIX password: 
Password change failed: Server error (Server Error)

passwd: Authentication token manipulation error
Connection to castor.alticon.net closed.


Server:
-------
/var/log/messages:
Apr 29 11:37:59 castor kpasswd[3076]: Failed to create tmp file with errno: 2


Expected results:

Proper login.

Additional info:
[root@castor ipa]# pwd
/var/cache/ipa
[root@castor ipa]# ls -la
total 12
drwxr-xr-x  3 root   root   4096 2008-04-28 17:33 .
drwxr-xr-x 12 root   root   4096 2008-04-28 16:26 ..
drwx------  2 apache apache 4096 2008-04-28 23:20 sessions
[root@castor ipa]# cd ..
[root@castor cache]# ls -Z
drwxrwxr-x  root lp system_u:object_r:cupsd_rw_etc_t:s0 cups
drwxr-xr-x  root root system_u:object_r:var_t:s0       dirmngr
drwxr-xr-x  root root system_u:object_r:fonts_t:s0     fontconfig
drwx------  haldaemon haldaemon system_u:object_r:hald_cache_t:s0 hald
drwxr-xr-x  root root system_u:object_r:var_t:s0       ipa
drwx------  root root system_u:object_r:ldconfig_cache_t:s0 ldconfig
drwxr-xr-x  root root system_u:object_r:logwatch_cache_t:s0 logwatch
drwxr-xr-x  root root system_u:object_r:man_t:s0       man
drwx------  apache apache system_u:object_r:httpd_cache_t:s0 mod_proxy
drwxr-xr-x  root root system_u:object_r:var_t:s0       yum
[root@castor cache]# ktutil 
ktutil:  rkt  /var/kerberos/krb5kdc/kpasswd.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2              kadmin/changepw
   2    2              kadmin/changepw
   3    2              kadmin/changepw
   4    2              kadmin/changepw
   5    2              kadmin/changepw
   6    2              kadmin/changepw
ktutil:  quit
[root@castor log]# kvno kadmin/changepw
kvno: KDC policy rejects request while getting credentials for kadmin/
changepw
Comment 1 Simo Sorce 2008-04-29 16:04:19 UTC 
As a temporary fix manually do this:

# mkdir /var/cache/ipa/kpasswd
# restorecon /var/cache/ipa/kpasswd

It will work afterwards without even restarting any daemon.
We'll fix the packaging to create the directory.
Comment 2 Rob Crittenden 2008-04-29 16:06:07 UTC 
Added directory to the spec file.

Checking in ipa.spec;
/cvs/extras/rpms/ipa/F-9/ipa.spec,v  <--  ipa.spec
new revision: 1.11; previous revision: 1.10
done
Comment 3 Rob Crittenden 2008-04-29 17:12:09 UTC 
Checking in ipa.spec;
/cvs/extras/rpms/ipa/F-7/ipa.spec,v  <--  ipa.spec
new revision: 1.8; previous revision: 1.7
done

tagged as ipa-1_0_0-2_fc7

Checking in ipa.spec;
/cvs/extras/rpms/ipa/F-8/ipa.spec,v  <--  ipa.spec
new revision: 1.8; previous revision: 1.7
done

tagged as ipa-1_0_0-2_fc8
Comment 4 Fedora Update System 2008-04-29 17:13:42 UTC 
ipa-1.0.0-2.fc7 has been submitted as an update for Fedora 7
Comment 5 Fedora Update System 2008-04-29 17:14:16 UTC 
ipa-1.0.0-2.fc8 has been submitted as an update for Fedora 8
Comment 7 Fedora Update System 2008-05-10 13:49:22 UTC 
ipa-1.0.0-2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-05-10 13:58:27 UTC 
ipa-1.0.0-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2008-05-13 15:40:16 UTC 
ipa-1.0.0-5.fc9 has been submitted as an update for Fedora 9
Comment 10 Fedora Update System 2008-05-14 22:16:18 UTC 
ipa-1.0.0-5.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.