Description of problem: When attempting to change a password kpasswd fails. Version-Release number of selected component (if applicable): ipa-server-1.0.0-4.fc9.i386 How reproducible: 100% Reproducable Steps to Reproduce: 1. Create user with ipa-adduser utility. 2. Attempt to log in with new user via SSH. 3. Enter kerberos password. 4. Attempt to change "SSH" password. 5. Check /var/log/messages for errors. Actual results: Client: ------- [bharrington@berstuk ~]$ ssh castor.alticon.net bharrington.net's password: Warning: password has expired. WARNING: Your password has expired. You must change your password now and login again! Changing password for user bharrington. Kerberos 5 Password: New UNIX password: Retype new UNIX password: Password change failed: Server error (Server Error) passwd: Authentication token manipulation error Connection to castor.alticon.net closed. Server: ------- /var/log/messages: Apr 29 11:37:59 castor kpasswd[3076]: Failed to create tmp file with errno: 2 Expected results: Proper login. Additional info: [root@castor ipa]# pwd /var/cache/ipa [root@castor ipa]# ls -la total 12 drwxr-xr-x 3 root root 4096 2008-04-28 17:33 . drwxr-xr-x 12 root root 4096 2008-04-28 16:26 .. drwx------ 2 apache apache 4096 2008-04-28 23:20 sessions [root@castor ipa]# cd .. [root@castor cache]# ls -Z drwxrwxr-x root lp system_u:object_r:cupsd_rw_etc_t:s0 cups drwxr-xr-x root root system_u:object_r:var_t:s0 dirmngr drwxr-xr-x root root system_u:object_r:fonts_t:s0 fontconfig drwx------ haldaemon haldaemon system_u:object_r:hald_cache_t:s0 hald drwxr-xr-x root root system_u:object_r:var_t:s0 ipa drwx------ root root system_u:object_r:ldconfig_cache_t:s0 ldconfig drwxr-xr-x root root system_u:object_r:logwatch_cache_t:s0 logwatch drwxr-xr-x root root system_u:object_r:man_t:s0 man drwx------ apache apache system_u:object_r:httpd_cache_t:s0 mod_proxy drwxr-xr-x root root system_u:object_r:var_t:s0 yum [root@castor cache]# ktutil ktutil: rkt /var/kerberos/krb5kdc/kpasswd.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 kadmin/changepw 2 2 kadmin/changepw 3 2 kadmin/changepw 4 2 kadmin/changepw 5 2 kadmin/changepw 6 2 kadmin/changepw ktutil: quit [root@castor log]# kvno kadmin/changepw kvno: KDC policy rejects request while getting credentials for kadmin/ changepw
As a temporary fix manually do this: # mkdir /var/cache/ipa/kpasswd # restorecon /var/cache/ipa/kpasswd It will work afterwards without even restarting any daemon. We'll fix the packaging to create the directory.
Added directory to the spec file. Checking in ipa.spec; /cvs/extras/rpms/ipa/F-9/ipa.spec,v <-- ipa.spec new revision: 1.11; previous revision: 1.10 done
Checking in ipa.spec; /cvs/extras/rpms/ipa/F-7/ipa.spec,v <-- ipa.spec new revision: 1.8; previous revision: 1.7 done tagged as ipa-1_0_0-2_fc7 Checking in ipa.spec; /cvs/extras/rpms/ipa/F-8/ipa.spec,v <-- ipa.spec new revision: 1.8; previous revision: 1.7 done tagged as ipa-1_0_0-2_fc8
ipa-1.0.0-2.fc7 has been submitted as an update for Fedora 7
ipa-1.0.0-2.fc8 has been submitted as an update for Fedora 8
ipa-1.0.0-2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
ipa-1.0.0-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
ipa-1.0.0-5.fc9 has been submitted as an update for Fedora 9
ipa-1.0.0-5.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.