Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
The "ipa passwd" command fails when using uppercase or mixed case user names
Identity Management (IdM) 4.4.0 introduced unified handling of user principals in all commands. However, some commands were not fully converted. As a consequence, the "ipa passwd" command fails when you use uppercase or mixed case letters in user names. To work around this issue, use only lower case letters in user names when using the "ipa passwd" command.
Created attachment 1200105[details]
Output
Description of problem: WinSync users who have First.Last casing creates users who can have their password set
Version-Release number of selected component (if applicable):
ipa-server-4.4.0-10.el7.x86_64
ipa-server-trust-ad-4.4.0-10.el7.x86_64
How reproducible:Always
Steps to Reproduce:
1. Establish winsync trust with windows system
2. Now add user First.Last on windows
3. Ensure the user is synced to IPA
4. Now change the password of the user in Windows and ensure Password is True in ipa user-show command for the user
5. Now change the password on IPA for the user First.Last
Actual results:
[root@master ~]# ipa passwd First.Last
New Password:
Enter New Password again to verify:
ipa: ERROR: no matching entry found
Expected results: The password change should work.
Additional info: Related to bz824490
Attaching the automation logs for RHEL7.1/RHEL7.2 where the test passes whereas for RHEL7.3 it fails without any change in automation code.
Tested on RHEL7.4 using
ipa-server-4.5.0-11.el7.x86_64
sssd-1.15.2-29.el7.x86_64
krb5-server-1.15.1-8.el7.x86_64
pki-ca-10.4.1-4.el7.noarch
selinux-policy-3.13.1-148.el7.noarch
1. Created user First.Last on AD
2. [root@master ~]# ipa user-show First.Last
User login: first.last
First name: First
Last name: Last
Home directory: /home/first.last
Login shell: /bin/sh
Principal alias: first.last
UID: 365200025
GID: 365200025
Account disabled: False
Password: True
Kerberos keys available: True
3. [root@master ~]# echo **** | kinit first.last
Password for first.last:
[root@master ~]# klist -l
Principal name Cache name
-------------- ----------
first.last KEYRING:persistent:0:krb_ccache_WlO1kcG
admin KEYRING:persistent:0:krb_ccache_EHMBwmY
[root@master ~]# sleep 10; kdestroy -A
[root@master ~]# klist -l
Principal name Cache name
-------------- ----------
[root@master ~]# echo **** | kinit admin
Password for admin:
[root@master ~]# klist -l
Principal name Cache name
-------------- ----------
admin KEYRING:persistent:0:krb_ccache_WlO1kcG
[root@master ~]# echo **** | ipa passwd First.Last
-----------------------------------------------
Changed password for "first.last"
-----------------------------------------------
[root@master ~]# echo $?
0
[root@master ~]# kdestroy -A
[root@master ~]# klist -l
Principal name Cache name
-------------- ----------
[root@master ~]# echo -e "***\n*****\n*****" | kinit -V first.last
Using default cache: persistent:0:krb_ccache_WlO1kcG
Using principal: first.last
Password for first.last:
Password expired. You must change it now.
Enter new password:
Enter it again:
Authenticated to Kerberos v5
[root@master ~]# ipa user-show First.Last
User login: first.last
First name: First
Last name: Last
Home directory: /home/first.last
Login shell: /bin/sh
Principal alias: first.last
UID: 365200025
GID: 365200025
Account disabled: False
Password: True
Kerberos keys available: True
[root@master ~]# klist -l
Principal name Cache name
-------------- ----------
first.last KEYRING:persistent:0:krb_ccache_WlO1kcG
[root@master ~]# ssh -o StrictHostKeyChecking=no -l first.last master.testrelm.test
Could not chdir to home directory /home/first.last: No such file or directory
-sh-4.2$ whoami
first.last
-sh-4.2$ id
uid=365200025(first.last) gid=365200025(first.last) groups=365200025(first.last) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2017:2304