Hide Forgot
Description of problem: I have freeipa server and client installed. Users on client computers are supposed to login with GDM, even first time, when account just created. But changing password in gdm doesn't work and fails with 'authentication token manipulation error'. I try to change password for existing user using command passwd and it also failed with the same error, kpasswd works fine. Some messages from log fileunsuccesful attempt to change password: console output from passwd command: -sh-4.1$ passwd Changing password for user dimaktt. Kerberos 5 Password: Warning: Your password will expire in less than one hour. New password: Retype new password: passwd: Authentication token manipulation error /var/log/secure: Feb 10 08:54:19 dguryanov-laptop passwd: pam_unix(passwd:chauthtok): user "dimaktt" does not exist in /etc/passwd Feb 10 08:54:31 dguryanov-laptop passwd: pam_unix(passwd:chauthtok): user "dimaktt" does not exist in /etc/passwd Feb 10 08:54:31 dguryanov-laptop passwd: pam_krb5[29752]: password change failed for dimaktt.RU: Cannot contact any KDC for requested realm Feb 10 08:54:31 dguryanov-laptop passwd: gkr-pam: couldn't change password for the login keyring. /var/log/audit/audit.log: type=USER_CHAUTHTOK msg=audit(1297317274.044:690): user pid=29752 uid=1100 auid=500 ses=1 msg='op=PAM:chauthtok acct="dimaktt" exe="/usr/bin/passwd" hostname=? addr=? terminal=pts/14 res=failed' type=USER_CHAUTHTOK msg=audit(1297317274.044:691): user pid=29752 uid=1100 auid=500 ses=1 msg='op=change password id=1100 exe="/usr/bin/passwd" hostname=? addr=? terminal=pts/14 res=failed' /var/log/dirsrv/slapd-SERVER000-SW-RU/access: ..... [10/Feb/2011:08:54:25 +0300] conn=6 op=351 RESULT err=0 tag=101 nentries=1 etime=0 [10/Feb/2011:08:54:25 +0300] conn=6 op=352 SRCH base="dc=server000,dc=sw,dc=ru" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kadmin/changepw.RU))" attrs="krbPrincipalName krbcanonicalname objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbExtraData krbObjectReferences krballowedtodelegateto" [10/Feb/2011:08:54:25 +0300] conn=6 op=352 RESULT err=0 tag=101 nentries=1 etime=0 [10/Feb/2011:08:54:25 +0300] conn=6 op=353 SRCH base="uid=dimaktt,cn=users,cn=accounts,dc=server000,dc=sw,dc=ru" scope=0 filter="(objectClass=*)" attrs="objectClass" [10/Feb/2011:08:54:25 +0300] conn=6 op=353 RESULT err=0 tag=101 nentries=1 etime=0 [10/Feb/2011:08:54:25 +0300] conn=6 op=354 MOD dn="uid=dimaktt,cn=users,cn=accounts,dc=server000,dc=sw,dc=ru" [10/Feb/2011:08:54:25 +0300] conn=6 op=354 RESULT err=50 tag=103 nentries=0 etime=0 I've tried to fix problem and looked in source of kpasswd command and pam_krb5: kpasswd calls krb5_change_password for changing password, pam_krb5-2.3.11-1/src/v5.c contains follwing code: #ifdef HAVE_KRB5_SET_PASSWORD int v5_change_password(krb5_context ctx, krb5_creds *creds, char *password, int *result_code, krb5_data *result_code_string, krb5_data *result_string) { return krb5_set_password(ctx, creds, password, creds->client, result_code, result_code_string, result_string); } #else int v5_change_password(krb5_context ctx, krb5_creds *creds, char *password, int *result_code, krb5_data *result_code_string, krb5_data *result_string) { return krb5_change_password(ctx, creds, password, result_code, result_code_string, result_string); } #endif HAVE_KRB5_SET_PASSWORD is defined, so it calls krb5_set_password. I've changed line #ifdef HAVE_KRB5_SET_PASSWORD to #if 0 and built and installed new rpm - and all began to work. Version-Release number of selected component (if applicable): pam_krb5-2.3.11-2.fc14.x86_64 ipa-client-1.2.2-6.fc14.x86_64 ipa-server-1.2.2-6.fc14.x86_64 How reproducible: always Steps to Reproduce: 1. setup ipa server and client (it can be on the same host) 2. copy /etc/ldap.conf to /etc/nss_ldap.conf (maybe another bug, ipa-client-install configures /etc/ldap.conf, but nss uses /etc/nss_ldap.conf) 3. change pam_sss.so to pam_krb5.so in /etc/pam.d/system-auth (tried also with pam_sss - also doesn't work by default) 4. create user account in ipa and create password for it using ipa-passwd 5. su - to new user 6. try to change password using passwd command Actual results: passwd command fails Expected results: passwd command succesfully changes password
It looks like ipa-kpasswd isn't handling set-password requests. Which version of IPA do you have installed at the server?
https://bugzilla.redhat.com/show_bug.cgi?id=676526
ipa-server-1.2.2-6.fc14.x86_64
Have you installed IPA recently? As I recall there is an issue with the latest version of the DS server in Fedora. I recall the password plugin did not work correctly at some point. Ah this is the bug I am referring to. I wonder if it makes a difference https://bugzilla.redhat.com/show_bug.cgi?id=658832 What version of DS you are using on the server?
Here is another very similar bug. I suspect they are all the same. https://bugzilla.redhat.com/show_bug.cgi?id=665001 Please try updating your DS server.
I should have asked this earlier: are you getting any messages in /var/log/messages or /var/log/secure on the IPA server when you experience this failure at the client?
Dmitri, yes, I'm installed system recently and updated to latest version, now version of directory server is 389-ds-base-1.2.8-0.1.a1.fc14.x86_64. Nalin, I can't check it now, i'll write, when will be able to do it.
(In reply to comment #7) > Dmitri, yes, I'm installed system recently and updated to latest version, now > version of directory server is 389-ds-base-1.2.8-0.1.a1.fc14.x86_64. Now? You mean you just updated DS just now and it still does not work or you updated but have not tried? Can you please restart IPA, create a new user and try again? Please capture the logs both sides including KDC logs on the server and same logs on the client side. The authentication scenario you are describing is a primary use case that we have tested over and over again. I got broken at some point due to freeIPA 1.2 being old and DS code moving forward. We fixed it so not the problem should go away, unless of cause it is a different problem. But then it would have hit many people and we would have heard about it from many sources. On the side note would you mind trying FreeIPA v2? We are going to have a Fedora test day on 2/15/11. See www.freeipa.org. Thank you Dmitri
I've try to reproduce the bug in VMs and got some new errors. First I've installed and updated fedora-14 into two VMs (server and client), disabled selinux and iptables. Then i've started to configre server: 1. disabled ncsd, NetworkManager, enabled network service 2. added record to /etc/hosts echo "192.168.122.158 ipaserver.testipa.com ipaserver" >> /etc/hosts 3. installed ipa-server yum install -y ipa-server Then i've try to execute ipa-server-install with command /usr/sbin/ipa-server-install -r TESTIPA.COM -n testipa.com -p LFPdktMM -a pfubJYbt --hostname ipaserver.testipa.com --ip-address=192.168.122.158 --setup-bind And got errors 'No such file or directory' in ipaserver-install.log - /usr/lib/python2.7/site-packages/ipaserver/installutils.py contain invalid path to kadmin.local - /usr/kerberos/sbin/kadmin.local instead of /usr/sbin/kadmin.local /usr/lib/python2.7/site-packages/ipaserver/krbinstance.py contain invalid path to kdb5_ldap_util - /usr/kerberos/sbin/kdb5_ldap_util I've fixed these files and run ipa-server-install --uninstall and then ipa-server-install with the same command as first time - it completed succesfully then i've got ticked using 'kinit admin' and try to find admin user: [root@ipaserver ~]# ipa-finduser admin '' ipa-adduser also doesn't work There are messages about segfaulted process in apache's error log: [Sun Feb 13 15:13:08 2011] [notice] child pid 1910 exit signal Segmentation fault (11) [Sun Feb 13 15:13:13 2011] [notice] child pid 1911 exit signal Segmentation fault (11) [Sun Feb 13 15:13:13 2011] [notice] child pid 1912 exit signal Segmentation fault (11) And nothing in /var/log/messages and /var/log/secure
In 1.2 you had to install Kerberos too as far as I recall. I hope that this is how you fixed the issue.
Kerberos had been installed as dependency of ipa-server on both real computer and VM [root@ipa-server ~]# rpm -qa | grep krb krb5-workstation-1.8.2-6.fc14.x86_64 python-krbV-1.0.90-2.fc14.x86_64 krb5-auth-dialog-0.16-1.fc14.x86_64 krb5-server-ldap-1.8.2-6.fc14.x86_64 krb5-libs-1.8.2-6.fc14.x86_64 pam_krb5-2.3.11-2.fc14.x86_64 krb5-server-1.8.2-6.fc14.x86_64
I tried installing IPA v1 server on a clean Fedora-14 VM. The installation went OK, issues with a wrong path to kadmin.local etc. were addressed in https://fedorahosted.org/freeipa/ticket/155. I have the following RPM versions: $ rpm -qa | grep ipa ipa-python-1.2.2-6.fc14.x86_64 ipa-admintools-1.2.2-6.fc14.x86_64 ipa-server-1.2.2-6.fc14.x86_64 python-iniparse-0.4-2.fc14.noarch ipa-client-1.2.2-6.fc14.x86_64 ipa-server-selinux-1.2.2-6.fc14.x86_64 However, IPA server also behaved odd on my VM. Running `ipa-finduser admin` took very log time (> 5 mins) before it returned the result. Maybe its also your case. I didn't find any error in any log. Just a confirmation, that it really took long to process this one request (made by all 3 following log records): # tail -f /var/log/httpd/access_log 10.16.78.56 - admin [15/Feb/2011:16:37:25 -0500] "POST /ipa/xml HTTP/1.1" 200 130 10.16.78.56 - admin [15/Feb/2011:16:38:04 -0500] "POST /ipa/xml HTTP/1.1" 200 666 10.16.78.56 - admin [15/Feb/2011:16:40:29 -0500] "POST /ipa/xml HTTP/1.1" 200 458 The same situation was with `ipa-adduser`.
We do not have a reproducer on this one and we are fully focused on IPA v2.x so this bug if it is not already fixed would not be fixed in 1.2.x. We do not see this behavior with latest 2.x bits so I am closing this as won't fix.