1236322 – IPA resets password of user randomly

Bug 1236322 - IPA resets password of user randomly

Summary: IPA resets password of user randomly

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	freeipa
Sub Component:
Version:	23
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	IPA Maintainers
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-06-27 18:32 UTC by Yamakasi
Modified:	2015-07-28 11:20 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-07-28 11:20:34 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Yamakasi 2015-06-27 18:32:20 UTC

Description of problem:

The password of a user is randomly "not working" anymore and needs a reset of the password.

The user is added as passSyncManagersDNs entry and when this user sets a password for another user the expire is set to 2035, it does the same for itself.


Version-Release number of selected component (if applicable):

4.1


How reproducible:

Add a user to passSyncManagersDNs like described here:

https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/pass-sync.html


Steps to Reproduce:
1. Add user to passSyncManagersDNs
2. Reset this user his password, login and set the same password again so ti stays the same until 2035
3. Wait for some days and try to login as this user the password is expired or damaged but still says in the GUI it expires in 2035

Actual results:

The password expires it get's currupted or so ?


Expected results:

It should not expire until 2035!


Additional info:

Comment 1 Yamakasi 2015-07-03 11:42:36 UTC

As I cannot log this I would like to know if people have seen this issue also.

Comment 2 Petr Vobornik 2015-07-09 11:55:15 UTC

I have not seen this behavior. Yamakasi, does it happen only when the password is set by one of passSyncManagers or also if the password is reseted by user?

How do the users log in and what is the exact error message?

Could it be possible that the user account is just locked out?

Comment 3 Jan Kurik 2015-07-15 13:54:03 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23

Comment 4 Yamakasi 2015-07-27 09:28:53 UTC

OK, this doesn't happen on a new 4.1 replica installation at the moment, the password stays good.

However now the keytab doesn't work anymore when the password is not expired for this user and needs to be "get" again from the ipa server.

Something is happening there it seems.

Comment 5 Petr Vobornik 2015-07-27 10:05:29 UTC

A keytab is a file containing pairs of Kerberos principals and encrypted keys (which are derived from Kerberos password). Therefore, if you change a password of certain principal then the keytab no longer works and you should obtain a new keytab (which you did). In other words, it behaves correctly.

You can use ipa-getkeytab utility for that. But make sure to use -r option if you don't won't the utility to generate a random new password.

Comment 6 Petr Vobornik 2015-07-28 11:20:34 UTC

Closing the bz based on comment 4 and 5.

Note You need to log in before you can comment on or make changes to this bug.