Description of problem: Version-Release number of selected component (if applicable): ipa-client-1.0.0-4.fc9.x86_64 How reproducible: Always. Steps to Reproduce: 1. Log in newly-created FreeIPA user "test1" to FC9 using GDM or attempt to "kinit test 1" 2. Authentication requests password. 3. After entering password, kinit gives message "Password expired. You must change it now./ Enter new password:" [GDM makes a similar request for password change] 4. kinit fails to change user password: "kinit(v5): Password change failed while getting initial credentials" Actual results: Password not changed -- ldapsearch -Y GSSAPI -b "dc=testipaserver,dc=com" uid=test1 indicates that password was not changed, existing password still expired. Expected results: Password changes, user authenticates Additional info: N.B. that running ipa-passwd with admin credentials succeeds in changing the password but still results in the password being expired -- i.e., user still cannot change the password and authenticate.
This is fixed in 1.0.0-5+ A temporary workaround is to create the directory /var/cache/ipa/kpasswd You probably need to do a restorecon on that directory as well.
Apologies for reopening this bug, but the workaround above did not solve the problem: 1) # mkdir /var/cache/ipa/kpasswd [n.b. I did this on both client and server] 2) # restorecon /var/cache/ipa/kpasswd 3 # kinit test1 Results are same as in original bug.
Can you provide the output of: $ ls -lZd /var/cache/ipa/kpasswd And see if there are any interesting errors in /var/log/messages?
drwxr-xrwx root root system_u:object_r:ipa_kpasswd_ccache_t:s0 The full read/write permissions & root ownership were just for debugging -- as an aside, what should the permissions be?
OK, that looks ok. The permissions should be 0700. Adding Simo to see if he has any ideas.
700 is the right permission set, only the kpasswd must have access to the credential caches.
Can you see if there is anything in /var/log/messages or /var/log/krb5kdc.log that might be relevant to this? Or attach a fairly large snippet of those logs to the bug for review?
Is this still happening?
Created attachment 307306 [details] relevant portion of /var/log/krb5kdc.log
Created attachment 307307 [details] relevant portion of /var/log/messages
Yes, it is. I had some trouble with this too, so I created the directory mentioned above, which didn't help. This is the conversation I had while trying to change the password of account maxim: # ssh maxim@freeipa-client maxim@freeipa-client's password: Warning: password has expired. Last login: Sun Jun 1 13:50:49 2008 from freeipa-client.my-net.local WARNING: Your password has expired. You must change your password now and login again! Changing password for user maxim. Kerberos 5 Password: New UNIX password: Retype new UNIX password: passwd: Authentication token manipulation error It then disconnects me. I checked /var/log/messages and saw this: Jun 1 13:51:13 freeipa-server kpasswd[15014]: ldap_parse_result(): [Password Fails to meet minimum strength criteria] Jun 1 13:51:13 freeipa-server kpasswd[15014]: password change failed! Uh? If that was the problem, the "passwd: Authentication token manipulation error" is less than helpful. So I tried again, with a bizare password and had the same conversation (including the "passwd: Authentication token manipulation error" at the end). But this time, /var/log/messages said this: Jun 1 13:52:22 freeipa-server kpasswd[15044]: password change succeeded! /var/log/krb5kdc.log said this about the last password change attempt: Jun 01 13:52:51 freeipa-server.my-net.local krb5kdc[4504](info): preauth (timestamp) verify failure: Decrypt integrity check failed Jun 01 13:52:51 freeipa-server.my-net.local krb5kdc[4504](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.100.11: PREAUTH_FAILED: maxim for krbtgt/MY-NET.LOCAL, Decrypt integrity check failed The last password change itself /was/ succesful, btw. I am attaching the last parts of both messages and krb5kdc.log. getenforce=0 on this box, btw.
Have you enable challenge response authentication in sshd ? This is required to be able to correctly perform a password change operation at the ssh login prompt. See: http://www.freeipa.com/page/AdministratorsGuide#Using_Password_Authentication
Same problem with ipa-client-1.0.0-6.fc9.i386 in fedora core 9(x86). I`ve created a new user testi and followed the instrucions in http://www.freeipa.com/page/AdministratorsGuide. I tried to obtain a ticket and get the following result: [root@ipa home]# kinit testi Password for testi: Password expired. You must change it now. Enter new password: Enter it again: kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials This is the log from /var/log/krb5kdc.log : Jun 04 11:33:02 ipa.mischins.world krb5kdc[2114](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 141.83.20.101: CLIENT KEY EXPIRED: testi for krbtgt/MISCHINS.WORLD, Password has expired Jun 04 11:33:02 ipa.mischins.world krb5kdc[2114](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 141.83.20.101: NEEDED_PREAUTH: testi for kadmin/changepw, Additional pre-authentication required Jun 04 11:33:05 ipa.mischins.world krb5kdc[2114](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 141.83.20.101: ISSUE: authtime 1212571985, etypes {rep=18 tkt=18 ses=18}, testi for kadmin/changepw In /var/log/messges i have not found relevant entries.
Do you have SELinux enabled? Can you monitor the audit log while trying a kinit to see if any AVCs are thrown? What version of ipa-server is installed? I'm assuming that the client is on a separate machine.
To reproduce this problem : Install Fecora Core 9, obtain latest updates and install ipa-server from repository ipa-server-1.0.0.6fc9(i386) with dependencies. Perform interactive install from command line with ipa-server-install. SELinux is set to permissive mode. The client is on the same machine as the server. After installation I succesfully obtained a ticket with the admin account and added the user testi with the webinterface. The commands getent passwd and id testi work, the user is found and known to the system. After this I performed a reboot on the system and logged in with my local user account(andreas). I tried to obtain a ticket as user testi : [andreas@ipa ~]$ kinit testi Password for testi: Password expired. You must change it now. Enter new password: Enter it again: kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials This is the log entry : /var/log/krb5kdc.log Jun 06 07:38:38 ipa.mischins.world krb5kdc[2140](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 141.83.20.101: CLIENT KEY EXPIRED: testi for krbtgt/MISCHINS.WORLD, Password has expired Jun 06 07:38:38 ipa.mischins.world krb5kdc[2140](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 141.83.20.101: NEEDED_PREAUTH: testi for kadmin/changepw, Additional pre-authentication required Jun 06 07:38:40 ipa.mischins.world krb5kdc[2140](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 141.83.20.101: ISSUE: authtime 1212730720, etypes {rep=18 tkt=18 ses=18}, testi for kadmin/changepw When I try tu su to the user testi I get this : [andreas@ipa ~]$ su testi - Passwort: Warning: Your password will expire in less than one hour. Warning: password has expired. Kerberos 5 Password: Warning: Your password will expire in less than one hour. Geben Sie ein neues UNIX Passwort ein: #type new password Geben Sie das neue UNIX Passwort erneut ein: #retype password su: ungültiges Kennwort #invalid password [andreas@ipa ~]$ /var/log/audit/audit.log type=USER_AUTH msg=audit(1212732181.070:45): user pid=3668 uid=500 auid=500 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="testi" exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)' type=USER_ACCT msg=audit(1212732181.074:46): user pid=3668 uid=500 auid=500 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="testi" exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=failed)' type=USER_CHAUTHTOK msg=audit(1212732231.647:47): user pid=3668 uid=500 auid=500 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:chauthtok acct="testi" exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=failed)' By trying to obtain a ticket with 'kinit testi' there are no entries created in /var/log/audit/audit.log
Do you happen to have multiple network interfaces configured on your machine ?
(In reply to comment #16) > Do you happen to have multiple network interfaces configured on your machine ? I will have a look at it tomorrow, but to 90% I` m sure there is only one interface defined on it. If you have more questions/todo`s email me, I`m having some time tomorrow.
no update on this yet. not blocking ipa v1 yet... placing bug in un-screened mode
Created attachment 310028 [details] kinit dialog with log entries from messages and kerberos
(In reply to comment #19) > Created an attachment (id=310028) [edit] > kinit dialog with log entries from messages and kerberos > I have installed freeipa 1.1 on a fresh fedora 9 i386 installation. SELinux is disabled, one interface is configured. I can use the ipa-commands but still cannot change password for an ipauser. In my previous attachment there are the results from kinit dialog and some logs.
Did you enter an empty password ? That's what the log seem to imply, and empty passwords are not permitted. Also, unless you have a reason to, please do not disable SELinux.
(In reply to comment #21) > Did you enter an empty password ? > That's what the log seem to imply, and empty passwords are not permitted. > Also, unless you have a reason to, please do not disable SELinux. Password is not empty. Whatever I type same result. I try to change the password on the ipaserver(ipa.mischins.world), since I wanted to try it on the server first. I can`t proceed with further tests until I will be able to change the password. I hve completed the installation with ipa-server-install --setup- bind. The ipa-adduser and ipa-finduser are working fine. So why can I not change a simple password....
I finally reproduced the problem, it seem building against mozldap libraries is what is causing the issue, I am respinning packages against openldap libs, this works for me. I will post a link to new packages here as soon as they are built.
New packages built, please download the ipa-1.1.0-3.fc9 rpms available here: http://koji.fedoraproject.org/koji/packageinfo?packageID=5679 And report if they fix your problem, they fixed the VM where I reproed the problem, and I am going to push these packages and close this bug unless I hear otherwise.
ipa-1.1.0-3.fc9 has been submitted as an update for Fedora 9
ipa-1.1.0-2.fc8 has been submitted as an update for Fedora 8
(In reply to comment #24) > New packages built, please download the ipa-1.1.0-3.fc9 rpms available here: > http://koji.fedoraproject.org/koji/packageinfo?packageID=5679 > And report if they fix your problem, they fixed the VM where I reproed the > problem, and I am going to push these packages and close this bug unless I hear > otherwise. It works. After a reboot I could finally change the password and login with users from ipausers. Great work.
ipa-1.1.0-3.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update ipa'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-5662