Bug 444493 - password change failed
password change failed
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: ipa (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-28 13:38 EDT by Thorsten Scherf
Modified: 2008-09-20 17:37 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-20 15:39:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Thorsten Scherf 2008-04-28 13:38:39 EDT
Description of problem:

after setting up a new user, I'm not able to change the password of the user.
here is what I did:

[root@fedora ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@EXAMPLE.COM

Valid starting     Expires            Service principal
04/28/08 15:45:53  04/29/08 15:45:49  krbtgt/EXAMPLE.COM@EXAMPLE.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@fedora ~]# 

[root@fedora ~]# ipa-adduser 
First name: Thorsten
Last name: Scherf
Login name: tscherf
  Password: 
  Password (again): 
gecos []: 
home directory [/home/tscherf]: 
shell [/bin/sh]: 
tscherf successfully added
[root@fedora ~]# su - tscherf
su: warning: cannot change directory to /home/tscherf: No such file or directory
-sh-3.2$ exit
logout
[root@fedora ~]# kinit tscherf
Password for scherf@EXAMPLE.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
kinit(v5): Cannot contact any KDC for requested realm while getting initial
credentials
[root@fedora ~]# 





Version-Release number of selected component (if applicable):
ipa-server-1.0.0-2.fc9.i386

How reproducible:
change password of a user

Steps to Reproduce:
1.kinit
2.
3.
  
Actual results:
password change failed

Expected results:
password change successful

Additional info:
Comment 1 Rob Crittenden 2008-04-28 14:07:32 EDT
Can you see if any SELinux AVCs were logged?
Comment 2 Thorsten Scherf 2008-04-28 15:25:28 EDT
no selinux AVCs were logged.
Comment 3 Thorsten Scherf 2008-04-28 16:33:33 EDT
additional info:

/var/log/messages:
Apr 28 16:28:13 fedora kpasswd[4210]: Unable to read request: Key version number
for principal in key table is incorrect

[root@fedora ~]# ktutil  
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3 host/fedora.example.com@EXAMPLE.COM
   ktutil:  quit
[root@fedora ~]# kvno host/fedora.example.com
host/fedora.example.com@EXAMPLE.COM: kvno = 3
[root@fedora ~]# 
Comment 4 Rob Crittenden 2008-04-29 10:11:01 EDT
Can you do the same kvno listing for /var/kerberos/krb5kdc/kpasswd.keytab
Comment 5 Thorsten Scherf 2008-04-29 10:26:20 EDT
[root@fedora ~]# ktutil
ktutil:  rkt /var/kerberos/krb5kdc/kpasswd.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2          kadmin/changepw@EXAMPLE.COM
ktutil:  quit
[root@fedora ~]# kvno kadmin/changepw@VIRT.TUXGEEK.DE
kvno: KDC policy rejects request while getting credentials for
kadmin/changepw@EXAMPLE.COM
[root@fedora ~]# 
Comment 6 Simo Sorce 2008-04-29 10:56:23 EDT
I think EXAMPLE.COM might be a bad REALM name to use, can you post your
/etc/krb5.conf file?
Most probably there are the default EXAMPLE.COM entries and not the right ones.

Comment 7 Rob Crittenden 2008-04-29 11:48:49 EDT
Can you create the directory /var/cache/ipa/kpasswd on the IPA server machine
and try again?
Comment 8 Thorsten Scherf 2008-04-29 12:47:51 EDT
creating the directory doesn't have any effect on the password change.
Comment 9 Bug Zapper 2008-05-14 06:19:34 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 10 Rob Crittenden 2008-05-14 11:48:04 EDT
Can you try updating to ipa-1.0.0-5.fc9? It should resolve this issue.
Comment 11 Thorsten Scherf 2008-05-14 15:03:56 EDT
will test this tomorrow and let you know
Comment 12 Rob Crittenden 2008-06-03 15:50:10 EDT
Is this working now?
Comment 13 David Nalley 2008-09-20 15:39:48 EDT
Since there are insufficient details provided in this report for us to investigate the issue further, and we have not received feedback to the information we have requested above, we will assume the problem was not reproducible, or has been fixed in one of the updates we have released for the reporter's distribution.

Users who have experienced this problem are encouraged to upgrade to the latest update of their distribution, and if this issue turns out to still be reproducible in the latest update, please reopen this bug with additional information.

Closing as INSUFFICIENT_DATA.
Comment 14 Simo Sorce 2008-09-20 17:37:04 EDT
There was actually a bug we fixed in a following release, so I'll re-close this as fixed

Note You need to log in before you can comment on or make changes to this bug.