Bug 676526

Summary: passwd, gdm-password fail to change password with pam_krb5 enabled
Product: [Retired] freeIPA Reporter: Dmitry Guryanov <dmitry.guryanov>
Component: ipa-serverAssignee: Rob Crittenden <rcritten>
Status: CLOSED WONTFIX QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.2CC: benl, dpal, dreamnid, jgalipea, mkosek, nalin, rcritten, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 690583 (view as bug list) Environment:
Last Closed: 2011-10-06 15:03:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 690583    

Description Dmitry Guryanov 2011-02-10 06:06:42 UTC 
Description of problem:
I have freeipa server and client installed. Users on client computers are supposed to login with GDM, even first time, when account just created. But changing password in gdm doesn't work and fails with 'authentication token manipulation error'. I try to change password for existing user using command passwd and it also failed with the same error, kpasswd works fine. Some messages from log fileunsuccesful attempt to change password:

console output from passwd command:
-sh-4.1$ passwd 
Changing password for user dimaktt.
Kerberos 5 Password: 
Warning: Your password will expire in less than one hour.
New password: 
Retype new password: 
passwd: Authentication token manipulation error

/var/log/secure:

Feb 10 08:54:19 dguryanov-laptop passwd: pam_unix(passwd:chauthtok): user "dimaktt" does not exist in /etc/passwd
Feb 10 08:54:31 dguryanov-laptop passwd: pam_unix(passwd:chauthtok): user "dimaktt" does not exist in /etc/passwd
Feb 10 08:54:31 dguryanov-laptop passwd: pam_krb5[29752]: password change failed for dimaktt.RU: Cannot contact any KDC for requested realm
Feb 10 08:54:31 dguryanov-laptop passwd: gkr-pam: couldn't change password for the login keyring.

/var/log/audit/audit.log:
type=USER_CHAUTHTOK msg=audit(1297317274.044:690): user pid=29752 uid=1100 auid=500 ses=1 msg='op=PAM:chauthtok acct="dimaktt" exe="/usr/bin/passwd" hostname=? addr=? terminal=pts/14 res=failed'
type=USER_CHAUTHTOK msg=audit(1297317274.044:691): user pid=29752 uid=1100 auid=500 ses=1 msg='op=change password id=1100 exe="/usr/bin/passwd" hostname=? addr=? terminal=pts/14 res=failed'

/var/log/dirsrv/slapd-SERVER000-SW-RU/access:
.....
[10/Feb/2011:08:54:25 +0300] conn=6 op=351 RESULT err=0 tag=101 nentries=1 etime=0
[10/Feb/2011:08:54:25 +0300] conn=6 op=352 SRCH base="dc=server000,dc=sw,dc=ru" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kadmin/changepw.RU))" attrs="krbPrincipalName krbcanonicalname objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbExtraData krbObjectReferences krballowedtodelegateto"
[10/Feb/2011:08:54:25 +0300] conn=6 op=352 RESULT err=0 tag=101 nentries=1 etime=0
[10/Feb/2011:08:54:25 +0300] conn=6 op=353 SRCH base="uid=dimaktt,cn=users,cn=accounts,dc=server000,dc=sw,dc=ru" scope=0 filter="(objectClass=*)" attrs="objectClass"
[10/Feb/2011:08:54:25 +0300] conn=6 op=353 RESULT err=0 tag=101 nentries=1 etime=0
[10/Feb/2011:08:54:25 +0300] conn=6 op=354 MOD dn="uid=dimaktt,cn=users,cn=accounts,dc=server000,dc=sw,dc=ru"
[10/Feb/2011:08:54:25 +0300] conn=6 op=354 RESULT err=50 tag=103 nentries=0 etime=0


I've tried to fix problem and looked in source of kpasswd command and pam_krb5:

kpasswd calls krb5_change_password for changing password, pam_krb5-2.3.11-1/src/v5.c contains follwing code:

#ifdef HAVE_KRB5_SET_PASSWORD
int
v5_change_password(krb5_context ctx, krb5_creds *creds, char *password,
                   int *result_code,
                   krb5_data *result_code_string,
                   krb5_data *result_string)
{
        return krb5_set_password(ctx, creds, password, creds->client,
                                 result_code,
                                 result_code_string, result_string);
}
#else
int
v5_change_password(krb5_context ctx, krb5_creds *creds, char *password,
                   int *result_code,
                   krb5_data *result_code_string,
                   krb5_data *result_string)
{
        return krb5_change_password(ctx, creds, password,
                                    result_code,
                                    result_code_string, result_string);
}
#endif

HAVE_KRB5_SET_PASSWORD is defined, so it calls krb5_set_password. I've changed line
#ifdef HAVE_KRB5_SET_PASSWORD
to
#if 0

and built and installed new rpm - and all began to work.


Version-Release number of selected component (if applicable):
pam_krb5-2.3.11-2.fc14.x86_64
ipa-client-1.2.2-6.fc14.x86_64
ipa-server-1.2.2-6.fc14.x86_64


How reproducible:
always


Steps to Reproduce:
1. setup ipa server and client (it can be on the same host)
2. copy /etc/ldap.conf to /etc/nss_ldap.conf (maybe another bug, ipa-client-install configures /etc/ldap.conf, but nss uses /etc/nss_ldap.conf)
3. change pam_sss.so to pam_krb5.so in /etc/pam.d/system-auth (tried also with pam_sss - also doesn't work by default)
4. create user account in ipa and create password for it using ipa-passwd
5. su - to new user
6. try to change password using passwd command
  
Actual results:
passwd command fails


Expected results:
passwd command succesfully changes password
Comment 1 Nalin Dahyabhai 2011-02-10 16:17:51 UTC 
It looks like ipa-kpasswd isn't handling set-password requests.  Which version of IPA do you have installed at the server?
Comment 2 Dmitry Guryanov 2011-02-10 16:39:08 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=676526
Comment 3 Dmitry Guryanov 2011-02-10 16:39:30 UTC 
ipa-server-1.2.2-6.fc14.x86_64
Comment 4 Dmitri Pal 2011-02-10 19:59:23 UTC 
Have you installed IPA recently? As I recall there is an issue with the latest version of the DS server in Fedora. I recall the password plugin did not work correctly at some point. 
Ah this is the bug I am referring to. I wonder if it makes a difference 
https://bugzilla.redhat.com/show_bug.cgi?id=658832
What version of DS you are using on the server?
Comment 5 Dmitri Pal 2011-02-10 20:01:37 UTC 
Here is another very similar bug.
I suspect they are all the same.
https://bugzilla.redhat.com/show_bug.cgi?id=665001
Please try updating your DS server.
Comment 6 Nalin Dahyabhai 2011-02-10 20:59:01 UTC 
I should have asked this earlier: are you getting any messages in /var/log/messages or /var/log/secure on the IPA server when you experience this failure at the client?
Comment 7 Dmitry Guryanov 2011-02-11 06:21:25 UTC 
Dmitri, yes, I'm installed system recently and updated to latest version, now version of directory server is 389-ds-base-1.2.8-0.1.a1.fc14.x86_64.


Nalin, I can't check it now, i'll write, when will be able to do it.
Comment 8 Dmitri Pal 2011-02-11 14:50:07 UTC 
(In reply to comment #7)
> Dmitri, yes, I'm installed system recently and updated to latest version, now
> version of directory server is 389-ds-base-1.2.8-0.1.a1.fc14.x86_64.

Now? You mean you just updated DS just now and it still does not work or you updated but have not tried? 
Can you please restart IPA, create a new user and try again?
Please capture the logs both sides including KDC logs on the server and same logs on the client side.

The authentication scenario you are describing is a primary use case that we have tested over and over again. I got broken at some point due to freeIPA 1.2 being old and DS code moving forward. We fixed it so not the problem should go away, unless of cause it is a different problem. But then it would have hit many people and we would have heard about it from many sources.

On the side note would you mind trying FreeIPA v2? We are going to have a Fedora test day on 2/15/11. See www.freeipa.org.

Thank you
Dmitri
Comment 9 Dmitry Guryanov 2011-02-13 12:14:23 UTC 
I've try to reproduce the bug in VMs and got some new errors.

First I've installed and updated fedora-14 into two VMs (server and client), disabled selinux and iptables.

Then i've started to configre server:

1. disabled ncsd, NetworkManager, enabled network service
2. added record to /etc/hosts
echo "192.168.122.158 ipaserver.testipa.com   ipaserver" >> /etc/hosts
3. installed ipa-server
yum install -y ipa-server

Then i've try to execute ipa-server-install with command
/usr/sbin/ipa-server-install -r TESTIPA.COM -n testipa.com -p LFPdktMM -a pfubJYbt --hostname ipaserver.testipa.com --ip-address=192.168.122.158 --setup-bind

And got errors 'No such file or directory' in ipaserver-install.log -
/usr/lib/python2.7/site-packages/ipaserver/installutils.py contain invalid path to kadmin.local - /usr/kerberos/sbin/kadmin.local instead of /usr/sbin/kadmin.local

/usr/lib/python2.7/site-packages/ipaserver/krbinstance.py contain invalid path to kdb5_ldap_util - /usr/kerberos/sbin/kdb5_ldap_util

I've fixed these files and run

ipa-server-install --uninstall and then ipa-server-install with the same command as first time - it completed succesfully

then i've got ticked using 'kinit admin' and try to find admin user:

[root@ipaserver ~]# ipa-finduser admin
''

ipa-adduser also doesn't work

There are messages about segfaulted process in apache's error log:
[Sun Feb 13 15:13:08 2011] [notice] child pid 1910 exit signal Segmentation fault (11)
[Sun Feb 13 15:13:13 2011] [notice] child pid 1911 exit signal Segmentation fault (11)
[Sun Feb 13 15:13:13 2011] [notice] child pid 1912 exit signal Segmentation fault (11)


And nothing in /var/log/messages and /var/log/secure
Comment 10 Dmitri Pal 2011-02-13 21:21:46 UTC 
In 1.2 you had to install Kerberos too as far as I recall. I hope that this is how you fixed the issue.
Comment 11 Dmitry Guryanov 2011-02-14 15:08:28 UTC 
Kerberos had been installed as dependency of ipa-server on both real computer and VM

[root@ipa-server ~]# rpm -qa | grep krb
krb5-workstation-1.8.2-6.fc14.x86_64
python-krbV-1.0.90-2.fc14.x86_64
krb5-auth-dialog-0.16-1.fc14.x86_64
krb5-server-ldap-1.8.2-6.fc14.x86_64
krb5-libs-1.8.2-6.fc14.x86_64
pam_krb5-2.3.11-2.fc14.x86_64
krb5-server-1.8.2-6.fc14.x86_64
Comment 12 Martin Kosek 2011-02-15 17:20:56 UTC 
I tried installing IPA v1 server on a clean Fedora-14 VM. The installation went OK, issues with a wrong path to kadmin.local etc. were addressed in https://fedorahosted.org/freeipa/ticket/155.

I have the following RPM versions:
$ rpm -qa | grep ipa
ipa-python-1.2.2-6.fc14.x86_64
ipa-admintools-1.2.2-6.fc14.x86_64
ipa-server-1.2.2-6.fc14.x86_64
python-iniparse-0.4-2.fc14.noarch
ipa-client-1.2.2-6.fc14.x86_64
ipa-server-selinux-1.2.2-6.fc14.x86_64

However, IPA server also behaved odd on my VM. Running `ipa-finduser admin` took very log time (> 5 mins) before it returned the result. Maybe its also your case. I didn't find any error in any log. Just a confirmation, that it really took long to process this one request (made by all 3 following log records):

# tail -f /var/log/httpd/access_log
10.16.78.56 - admin [15/Feb/2011:16:37:25 -0500] "POST /ipa/xml HTTP/1.1" 200 130
10.16.78.56 - admin [15/Feb/2011:16:38:04 -0500] "POST /ipa/xml HTTP/1.1" 200 666
10.16.78.56 - admin [15/Feb/2011:16:40:29 -0500] "POST /ipa/xml HTTP/1.1" 200 458

The same situation was with `ipa-adduser`.
Comment 13 Dmitri Pal 2011-10-06 15:03:41 UTC 
We do not have a reproducer on this one and we are fully focused on IPA v2.x so this bug if it is not already fixed would not be fixed in 1.2.x. We do not see this behavior with latest 2.x bits so I am closing this as won't fix.