Bug 870238

Summary: IPA client cannot change AD Trusted User password
Product: Red Hat Enterprise Linux 6 Reporter: Scott Poore <spoore>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: abokovoy, grajaiya, jgalipea, mkosek, nsoman, pbrezina, sbose, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.2-24.el6 Doc Type: Bug Fix
Doc Text:
No Documentation Needed
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:38:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 881827    

Description Scott Poore 2012-10-25 21:34:42 UTC 
Description of problem:

I can't seem to change an AD Trusted User's Password from an IPA client.  If I setup a trust on IPA env to AD domain, I would expect to be able to change passwords.

Version-Release number of selected component (if applicable):
[root@rhel6-1 ~]# rpm -q ipa-server-trust-ad
ipa-server-trust-ad-3.0.0-105.20121019T0244zgita5684b0.el6.x86_64
[root@rhel6-1 ~]# rpm -q ipa-server
ipa-server-3.0.0-105.20121019T0244zgita5684b0.el6.x86_64

-sh-4.1$ passwd
Changing password for user adtestuser5.
Current Password:
passwd: Authentication token manipulation error

-sh-4.1$ exit
logout
Connection to rhel6-1.testrelm.com closed.

[root@rhel6-1 ~]# tail -3 /var/log/secure
Oct 25 17:22:28 rhel6-1 passwd: pam_unix(passwd:chauthtok): user "adtestuser5" does not exist in /etc/passwd
Oct 25 17:22:32 rhel6-1 passwd: pam_sss(passwd:chauthtok): Authentication failed for user adtestuser5: 4 (System error)
Oct 25 17:23:36 rhel6-1 sshd[11248]: pam_unix(sshd:session): session closed for user adtestuser5

[root@rhel6-1 ~]# kinit Administrator
Password for Administrator: 

[root@rhel6-1 ~]# passwd adtestuser5
Changing password for user adtestuser5.
passwd: Authentication token manipulation error

[root@rhel6-1 ~]# passwd adtestuser5
Changing password for user adtestuser5.
passwd: Authentication token manipulation error

How reproducible:
always as far as I can tell.

Steps to Reproduce:
1.  Setup IPA Master
2.  Setup AD Server
3.  Setup trust with ipa-adtrust-install; ipa trust-add
4.  Log in as AD user on IPA client (can be master)
5.  run passwd to try to change the user's password.
  
Actual results:
password change fails

Expected results:
password change succeeds.

Additional info:
Comment 3 Sumit Bose 2012-10-26 08:50:04 UTC 
I changed the component to sssd because ipa is not involved here.
Comment 4 Dmitri Pal 2012-11-01 13:43:02 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1615
Comment 6 Steeve Goveas 2013-01-31 14:06:56 UTC 
    [root@ibm-x3500m4-01 ~]# ipa trust-find
    ---------------
    1 trust matched
    ---------------
      Realm name: adlab.qe
      Domain NetBIOS name: ADLAB
      Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477
      Trust type: Active Directory domain
    ----------------------------
    Number of entries returned 1
    ----------------------------
     
* Following methods are not supported to change AD user password
     
    [root@ibm-x3500m4-01 ~]# kinit Administrator
    Password for Administrator:
     
    [root@ibm-x3500m4-01 ~]# passwd fuser
    Changing password for user fuser.
    Password reset by root is not supported.
    passwd: Authentication token manipulation error
     
    [root@ibm-x3500m4-01 ~]# passwd fuser
    Changing password for user fuser.
    Password reset by root is not supported.
    passwd: Authentication token manipulation error
 
* ipa passwd is used only for IPA users not for AD users
    
    [root@ibm-x3500m4-01 ~]# kinit admin
    Password for admin:
     
    [root@ibm-x3500m4-01 ~]# ipa passwd fuser
    ipa: ERROR: The realm for the principal does not match the realm for this IPA server
     
    [root@ibm-x3500m4-01 ~]# ipa passwd fuser
    ipa: ERROR: The realm for the principal does not match the realm for this IPA server 


* Only passwd cmd executed from AD user is supported
(Note: GPO password minimum age policy setting can be modified from 1 to 0 for testing purpose as done in this case)

[root@ibm-x3500m4-01 ~]# ssh -l nuser1 ibm-x3500m4-01.testrelm.com
nuser1@ibm-x3500m4-01.testrelm.com's password: 
Your password will expire in 41 day(s)
Could not chdir to home directory /home/adlab.qe/nuser1: No such file or directory
-sh-4.1$ passwd
Changing password for user nuser1.
Current Password: 
New password: 
Retype new password: 
Your password will expire in 42 day(s).
passwd: all authentication tokens updated successfully.


Verified in version ipa-server-3.0.0-24.el6.x86_64 and sssd-1.9.2-82.el6.x86_64
Comment 7 errata-xmlrpc 2013-02-21 09:38:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html