Hide Forgot
Description of problem: IPA with AD trust. when a IPA user gets reset, he can not login trough ssh and change the password, (he wont be prompted) , he then have to login to the ipa gui first to change password and then login with ssh. Version-Release number of selected component (if applicable): current release How reproducible: All the time Steps to Reproduce: 1. Create a IPA-AD trust 2. Create IPA user. 3. Try and login trough ssh with password 4. change password in gui 5. login again Actual results: Failed login attempt Expected results: login to server being asked to change password Additional info: Log files attached.
This seems to be more of an sssd issue so I'm 'stealing' the bug.
It looks like it is related to 'krb5_use_enterprise_principal = True' or the automatic setting of it in the 7.3 version of SSSD. If the enterprise principal feature is not needed for the AD users the setting 'krb5_use_enterprise_principal = False' in the [domain/...] section of sssd.conf would be a work-around.
To reproduce this outside of SSSD you can call KRB5_TRACE=/dev/stdout kinit -E -C ipauser -S 'kadmin/changepw' Assigning to krb5 to get feedback what it the expected behavior here, i.e. requesting 'kadmin/changepw' ticket to change an expired password with an enterprise principal.