Bug 444624 - Kpasswd unable to proxy password change requests
Kpasswd unable to proxy password change requests
Status: CLOSED RAWHIDE
Product: freeIPA
Classification: Community
Component: ipa-server (Show other bugs)
1.0
All Linux
low Severity low
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
:
Depends On:
Blocks: 429034
  Show dependency treegraph
 
Reported: 2008-04-29 12:01 EDT by Brian Harrington
Modified: 2015-01-04 18:32 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-08 17:03:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Brian Harrington 2008-04-29 12:01:46 EDT
Description of problem:

When attempting to change a password kpasswd fails.

Version-Release number of selected component (if applicable):
ipa-server-1.0.0-4.fc9.i386

How reproducible:
100% Reproducable


Steps to Reproduce:
1.  Create user with ipa-adduser utility.
2.  Attempt to log in with new user via SSH.
3.  Enter kerberos password.
4.  Attempt to change "SSH" password.
5.  Check /var/log/messages for errors.

  
Actual results:
Client:
-------
[bharrington@berstuk ~]$ ssh castor.alticon.net
bharrington@castor.alticon.net's password: 
Warning: password has expired.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user bharrington.
Kerberos 5 Password: 
New UNIX password: 
Retype new UNIX password: 
Password change failed: Server error (Server Error)

passwd: Authentication token manipulation error
Connection to castor.alticon.net closed.


Server:
-------
/var/log/messages:
Apr 29 11:37:59 castor kpasswd[3076]: Failed to create tmp file with errno: 2


Expected results:

Proper login.

Additional info:
[root@castor ipa]# pwd
/var/cache/ipa
[root@castor ipa]# ls -la
total 12
drwxr-xr-x  3 root   root   4096 2008-04-28 17:33 .
drwxr-xr-x 12 root   root   4096 2008-04-28 16:26 ..
drwx------  2 apache apache 4096 2008-04-28 23:20 sessions
[root@castor ipa]# cd ..
[root@castor cache]# ls -Z
drwxrwxr-x  root lp system_u:object_r:cupsd_rw_etc_t:s0 cups
drwxr-xr-x  root root system_u:object_r:var_t:s0       dirmngr
drwxr-xr-x  root root system_u:object_r:fonts_t:s0     fontconfig
drwx------  haldaemon haldaemon system_u:object_r:hald_cache_t:s0 hald
drwxr-xr-x  root root system_u:object_r:var_t:s0       ipa
drwx------  root root system_u:object_r:ldconfig_cache_t:s0 ldconfig
drwxr-xr-x  root root system_u:object_r:logwatch_cache_t:s0 logwatch
drwxr-xr-x  root root system_u:object_r:man_t:s0       man
drwx------  apache apache system_u:object_r:httpd_cache_t:s0 mod_proxy
drwxr-xr-x  root root system_u:object_r:var_t:s0       yum
[root@castor cache]# ktutil 
ktutil:  rkt  /var/kerberos/krb5kdc/kpasswd.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2              kadmin/changepw@ALTICON.NET
   2    2              kadmin/changepw@ALTICON.NET
   3    2              kadmin/changepw@ALTICON.NET
   4    2              kadmin/changepw@ALTICON.NET
   5    2              kadmin/changepw@ALTICON.NET
   6    2              kadmin/changepw@ALTICON.NET
ktutil:  quit
[root@castor log]# kvno kadmin/changepw@ALTICON.NET
kvno: KDC policy rejects request while getting credentials for kadmin/
changepw@ALTICON.NET
Comment 1 Simo Sorce 2008-04-29 12:04:19 EDT
As a temporary fix manually do this:

# mkdir /var/cache/ipa/kpasswd
# restorecon /var/cache/ipa/kpasswd

It will work afterwards without even restarting any daemon.
We'll fix the packaging to create the directory.
Comment 2 Rob Crittenden 2008-04-29 12:06:07 EDT
Added directory to the spec file.

Checking in ipa.spec;
/cvs/extras/rpms/ipa/F-9/ipa.spec,v  <--  ipa.spec
new revision: 1.11; previous revision: 1.10
done
Comment 3 Rob Crittenden 2008-04-29 13:12:09 EDT
Checking in ipa.spec;
/cvs/extras/rpms/ipa/F-7/ipa.spec,v  <--  ipa.spec
new revision: 1.8; previous revision: 1.7
done

tagged as ipa-1_0_0-2_fc7

Checking in ipa.spec;
/cvs/extras/rpms/ipa/F-8/ipa.spec,v  <--  ipa.spec
new revision: 1.8; previous revision: 1.7
done

tagged as ipa-1_0_0-2_fc8
Comment 4 Fedora Update System 2008-04-29 13:13:42 EDT
ipa-1.0.0-2.fc7 has been submitted as an update for Fedora 7
Comment 5 Fedora Update System 2008-04-29 13:14:16 EDT
ipa-1.0.0-2.fc8 has been submitted as an update for Fedora 8
Comment 7 Fedora Update System 2008-05-10 09:49:22 EDT
ipa-1.0.0-2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-05-10 09:58:27 EDT
ipa-1.0.0-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2008-05-13 11:40:16 EDT
ipa-1.0.0-5.fc9 has been submitted as an update for Fedora 9
Comment 10 Fedora Update System 2008-05-14 18:16:18 EDT
ipa-1.0.0-5.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.