Bug 446210 - IPA user not permitted to change expired password & authenticate
Summary: IPA user not permitted to change expired password & authenticate
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: freeIPA
Classification: Retired
Component: ipa-client
Version: 1.0
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
Assignee: Simo Sorce
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 453489
TreeView+ depends on / blocked
 
Reported: 2008-05-13 14:59 UTC by P Rauser
Modified: 2015-01-04 23:32 UTC (History)
5 users (show)

Fixed In Version: 1.0.0-6.fc9
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-08 21:35:55 UTC
Embargoed:


Attachments (Terms of Use)
relevant portion of /var/log/krb5kdc.log (4.90 KB, text/plain)
2008-06-01 12:03 UTC, Maxim
no flags Details
relevant portion of /var/log/messages (919 bytes, text/plain)
2008-06-01 12:03 UTC, Maxim
no flags Details
kinit dialog with log entries from messages and kerberos (2.63 KB, application/octet-stream)
2008-06-23 13:28 UTC, Andreas Mischinski
no flags Details

Description P Rauser 2008-05-13 14:59:39 UTC
Description of problem:


Version-Release number of selected component (if applicable):

ipa-client-1.0.0-4.fc9.x86_64

How reproducible:

Always.

Steps to Reproduce:
1.  Log in newly-created FreeIPA user "test1" to FC9 using GDM or attempt to
"kinit test 1"

2.  Authentication requests password.

3.  After entering password, kinit gives message "Password expired.  You must
change it now./ Enter new password:"  [GDM makes a similar request for password
change]

4.  kinit fails to change user password: "kinit(v5): Password change failed
while getting initial credentials"

  
Actual results:

Password not changed -- ldapsearch -Y GSSAPI -b "dc=testipaserver,dc=com"
uid=test1 indicates that password was not changed, existing password still expired.


Expected results:

Password changes, user authenticates

Additional info:

N.B. that running ipa-passwd with admin credentials succeeds in changing the
password but still results in the password being expired -- i.e., user still
cannot change the password and authenticate.

Comment 1 Rob Crittenden 2008-05-13 15:26:44 UTC
This is fixed in 1.0.0-5+

A temporary workaround is to create the directory /var/cache/ipa/kpasswd

You probably need to do a restorecon on that directory as well.

Comment 2 P Rauser 2008-05-13 17:52:20 UTC
Apologies for reopening this bug, but the workaround above did not solve the
problem:

1)  # mkdir /var/cache/ipa/kpasswd [n.b. I did this on both client and server]
2)  # restorecon /var/cache/ipa/kpasswd
3   # kinit test1

Results are same as in original bug.  

Comment 3 Rob Crittenden 2008-05-13 18:25:23 UTC
Can you provide the output of: 

$ ls -lZd /var/cache/ipa/kpasswd

And see if there are any interesting errors in /var/log/messages?

Comment 4 P Rauser 2008-05-16 18:34:12 UTC
drwxr-xrwx  root root system_u:object_r:ipa_kpasswd_ccache_t:s0

The full read/write permissions & root ownership were just for debugging -- as
an aside, what should the permissions be?


Comment 5 Rob Crittenden 2008-05-16 18:45:56 UTC
OK, that looks ok. 

The permissions should be 0700.

Adding Simo to see if he has any ideas.

Comment 6 Simo Sorce 2008-05-16 18:56:48 UTC
700 is the right permission set, only the kpasswd must have access to the
credential caches.

Comment 7 Rob Crittenden 2008-05-20 19:09:12 UTC
Can you see if there is anything in /var/log/messages or /var/log/krb5kdc.log
that might be relevant to this? Or attach a fairly large snippet of those logs
to the bug for review?

Comment 8 Rob Crittenden 2008-05-29 14:43:33 UTC
Is this still happening?

Comment 9 Maxim 2008-06-01 12:03:22 UTC
Created attachment 307306 [details]
relevant portion of /var/log/krb5kdc.log

Comment 10 Maxim 2008-06-01 12:03:48 UTC
Created attachment 307307 [details]
relevant portion of /var/log/messages

Comment 11 Maxim 2008-06-01 12:05:00 UTC
Yes, it is. I had some trouble with this too, so I created the directory
mentioned above, which didn't help. This is the conversation I had while trying
to change the password of account maxim:

# ssh maxim@freeipa-client
maxim@freeipa-client's password: 
Warning: password has expired.
Last login: Sun Jun  1 13:50:49 2008 from freeipa-client.my-net.local
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user maxim.
Kerberos 5 Password: 
New UNIX password: 
Retype new UNIX password: 
passwd: Authentication token manipulation error

It then disconnects me. I checked /var/log/messages and saw this:

Jun  1 13:51:13 freeipa-server kpasswd[15014]: ldap_parse_result(): [Password
Fails to meet minimum strength criteria]
Jun  1 13:51:13 freeipa-server kpasswd[15014]: password change failed!

Uh? If that was the problem, the "passwd: Authentication token manipulation
error" is less than helpful. So I tried again, with a bizare password and had
the same conversation (including the "passwd: Authentication token manipulation
error" at the end). But this time, /var/log/messages said this:

Jun  1 13:52:22 freeipa-server kpasswd[15044]: password change succeeded!

/var/log/krb5kdc.log said this about the last password change attempt:

Jun 01 13:52:51 freeipa-server.my-net.local krb5kdc[4504](info): preauth
(timestamp) verify failure: Decrypt integrity check failed
Jun 01 13:52:51 freeipa-server.my-net.local krb5kdc[4504](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.100.11: PREAUTH_FAILED: maxim
for krbtgt/MY-NET.LOCAL, Decrypt integrity check failed

The last password change itself /was/ succesful, btw. 

I am attaching the last parts of both messages and krb5kdc.log.

getenforce=0 on this box, btw.

Comment 12 Simo Sorce 2008-06-01 12:50:14 UTC
Have you enable challenge response authentication in sshd ?
This is required to be able to correctly perform a password change operation at
the ssh login prompt.
See: http://www.freeipa.com/page/AdministratorsGuide#Using_Password_Authentication

Comment 13 Andreas Mischinski 2008-06-04 09:47:54 UTC
Same problem with ipa-client-1.0.0-6.fc9.i386 in fedora core 9(x86). I`ve
created a new user testi and followed the instrucions in 
http://www.freeipa.com/page/AdministratorsGuide.

I tried to obtain a ticket and get the following result: 

[root@ipa home]# kinit testi
Password for testi: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
kinit(v5): Cannot contact any KDC for requested realm while getting initial
credentials

This is the log from /var/log/krb5kdc.log :

Jun 04 11:33:02 ipa.mischins.world krb5kdc[2114](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 141.83.20.101: CLIENT KEY EXPIRED: testi for
krbtgt/MISCHINS.WORLD, Password has expired
Jun 04 11:33:02 ipa.mischins.world krb5kdc[2114](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 141.83.20.101: NEEDED_PREAUTH: testi for
kadmin/changepw, Additional pre-authentication required
Jun 04 11:33:05 ipa.mischins.world krb5kdc[2114](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 141.83.20.101: ISSUE: authtime 1212571985, etypes {rep=18 tkt=18
ses=18}, testi for kadmin/changepw


In /var/log/messges i have not found relevant entries.

Comment 14 Rob Crittenden 2008-06-05 15:40:51 UTC
Do you have SELinux enabled? Can you monitor the audit log while trying a kinit
to see if any AVCs are thrown?

What version of ipa-server is installed? I'm assuming that the client is on a
separate machine.

Comment 15 Andreas Mischinski 2008-06-06 06:40:58 UTC
To reproduce this problem : 

Install Fecora Core 9, obtain latest updates and install ipa-server from
repository ipa-server-1.0.0.6fc9(i386) with dependencies. Perform interactive
install from command line with ipa-server-install. SELinux is set to permissive
mode. The client is on the same machine as the server. 
 

After installation I succesfully obtained a ticket with the admin account and
added the user testi with the webinterface. The commands getent passwd and id
testi work, the user is found and known to the system. After this I performed a
reboot on the system and logged in with my local user account(andreas). I tried
to obtain a ticket as user testi : 
 
[andreas@ipa ~]$ kinit testi
Password for testi: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
kinit(v5): Cannot contact any KDC for requested realm while getting initial
credentials

This is the log entry : 
/var/log/krb5kdc.log

Jun 06 07:38:38 ipa.mischins.world krb5kdc[2140](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 141.83.20.101: CLIENT KEY EXPIRED: testi for
krbtgt/MISCHINS.WORLD, Password has expired
Jun 06 07:38:38 ipa.mischins.world krb5kdc[2140](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 141.83.20.101: NEEDED_PREAUTH: testi for
kadmin/changepw, Additional pre-authentication required
Jun 06 07:38:40 ipa.mischins.world krb5kdc[2140](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 141.83.20.101: ISSUE: authtime 1212730720, etypes {rep=18 tkt=18
ses=18}, testi for kadmin/changepw

When I try tu su to the user testi I get this :

[andreas@ipa ~]$ su testi -
Passwort: 
Warning: Your password will expire in less than one hour.
Warning: password has expired.
Kerberos 5 Password: 
Warning: Your password will expire in less than one hour.
Geben Sie ein neues UNIX Passwort ein:  	#type new password
Geben Sie das neue UNIX Passwort erneut ein:  	#retype password
su: ungültiges Kennwort 			#invalid password
[andreas@ipa ~]$ 


/var/log/audit/audit.log

type=USER_AUTH msg=audit(1212732181.070:45): user pid=3668 uid=500 auid=500
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:authentication acct="testi" exe="/bin/su" (hostname=?, addr=?,
terminal=pts/2 res=success)'
type=USER_ACCT msg=audit(1212732181.074:46): user pid=3668 uid=500 auid=500
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:accounting acct="testi" exe="/bin/su" (hostname=?, addr=?,
terminal=pts/2 res=failed)'
type=USER_CHAUTHTOK msg=audit(1212732231.647:47): user pid=3668 uid=500 auid=500
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:chauthtok
acct="testi" exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=failed)'

By trying to obtain a ticket with 'kinit testi' there are no entries created in
/var/log/audit/audit.log







Comment 16 Simo Sorce 2008-06-10 21:46:26 UTC
Do you happen to have multiple network interfaces configured on your machine ?

Comment 17 Andreas Mischinski 2008-06-11 18:50:48 UTC
(In reply to comment #16)
> Do you happen to have multiple network interfaces configured on your machine ?
I will have a look at it tomorrow, but to 90% I` m sure there is only one 
interface defined on it. If you have more questions/todo`s email me, I`m having 
some time tomorrow.

Comment 18 Chandrasekar Kannan 2008-06-12 16:57:52 UTC
no update on this yet. not blocking ipa v1 yet...
placing bug in un-screened mode

Comment 19 Andreas Mischinski 2008-06-23 13:28:45 UTC
Created attachment 310028 [details]
kinit dialog with log entries from messages and kerberos

Comment 20 Andreas Mischinski 2008-06-23 13:31:54 UTC
(In reply to comment #19)
> Created an attachment (id=310028) [edit]
> kinit dialog with log entries from messages and kerberos
> 

I have installed freeipa 1.1 on a fresh fedora 9 i386 installation. SELinux is
disabled, one interface is configured. I can use the ipa-commands but still
cannot change password for an ipauser. In my previous attachment there are the
results from kinit dialog and some logs.

Comment 21 Simo Sorce 2008-06-23 14:22:35 UTC
Did you enter an empty password ?
That's what the log seem to imply, and empty passwords are not permitted.
Also, unless you have a reason to, please do not disable SELinux.

Comment 22 Andreas Mischinski 2008-06-23 15:07:03 UTC
(In reply to comment #21)
> Did you enter an empty password ?
> That's what the log seem to imply, and empty passwords are not permitted.
> Also, unless you have a reason to, please do not disable SELinux.

Password is not empty. Whatever I type same result. I try to change the 
password on the ipaserver(ipa.mischins.world), since I wanted to try it on the 
server first. I can`t proceed with further tests until I will be able to change 
the password. I hve completed the installation with ipa-server-install --setup-
bind. The ipa-adduser and ipa-finduser are working fine. So why can I not 
change a simple password....

Comment 23 Simo Sorce 2008-06-23 21:16:03 UTC
I finally reproduced the problem, it seem building against mozldap libraries is
what is causing the issue, I am respinning packages against openldap libs, this
works for me.

I will post a link to new packages here as soon as they are built.

Comment 24 Simo Sorce 2008-06-23 21:43:24 UTC
New packages built, please download the ipa-1.1.0-3.fc9 rpms available here:
http://koji.fedoraproject.org/koji/packageinfo?packageID=5679

And report if they fix your problem, they fixed the VM where I reproed the
problem, and I am going to push these packages and close this bug unless I hear
otherwise.

Comment 25 Fedora Update System 2008-06-23 21:47:23 UTC
ipa-1.1.0-3.fc9 has been submitted as an update for Fedora 9

Comment 26 Fedora Update System 2008-06-23 22:00:16 UTC
ipa-1.1.0-2.fc8 has been submitted as an update for Fedora 8

Comment 27 Andreas Mischinski 2008-06-24 05:55:36 UTC
(In reply to comment #24)
> New packages built, please download the ipa-1.1.0-3.fc9 rpms available here:
> http://koji.fedoraproject.org/koji/packageinfo?packageID=5679
> And report if they fix your problem, they fixed the VM where I reproed the
> problem, and I am going to push these packages and close this bug unless I 
hear
> otherwise.

It works. After a reboot I could finally change the password and login with 
users from ipausers. Great work.

Comment 28 Fedora Update System 2008-06-25 02:52:01 UTC
ipa-1.1.0-3.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update ipa'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-5662


Note You need to log in before you can comment on or make changes to this bug.