Bug 870238 - IPA client cannot change AD Trusted User password
IPA client cannot change AD Trusted User password
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
:
Depends On:
Blocks: 881827
  Show dependency treegraph
 
Reported: 2012-10-25 17:34 EDT by Scott Poore
Modified: 2015-09-29 03:14 EDT (History)
8 users (show)

See Also:
Fixed In Version: sssd-1.9.2-24.el6
Doc Type: Bug Fix
Doc Text:
No Documentation Needed
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 04:38:49 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Scott Poore 2012-10-25 17:34:42 EDT
Description of problem:

I can't seem to change an AD Trusted User's Password from an IPA client.  If I setup a trust on IPA env to AD domain, I would expect to be able to change passwords.

Version-Release number of selected component (if applicable):
[root@rhel6-1 ~]# rpm -q ipa-server-trust-ad
ipa-server-trust-ad-3.0.0-105.20121019T0244zgita5684b0.el6.x86_64
[root@rhel6-1 ~]# rpm -q ipa-server
ipa-server-3.0.0-105.20121019T0244zgita5684b0.el6.x86_64

-sh-4.1$ passwd
Changing password for user adtestuser5@adtestdom.com.
Current Password:
passwd: Authentication token manipulation error

-sh-4.1$ exit
logout
Connection to rhel6-1.testrelm.com closed.

[root@rhel6-1 ~]# tail -3 /var/log/secure
Oct 25 17:22:28 rhel6-1 passwd: pam_unix(passwd:chauthtok): user "adtestuser5@adtestdom.com" does not exist in /etc/passwd
Oct 25 17:22:32 rhel6-1 passwd: pam_sss(passwd:chauthtok): Authentication failed for user adtestuser5@adtestdom.com: 4 (System error)
Oct 25 17:23:36 rhel6-1 sshd[11248]: pam_unix(sshd:session): session closed for user adtestuser5@adtestdom.com

[root@rhel6-1 ~]# kinit Administrator@ADTESTDOM.COM
Password for Administrator@ADTESTDOM.COM: 

[root@rhel6-1 ~]# passwd adtestuser5@adtestdom.com
Changing password for user adtestuser5@adtestdom.com.
passwd: Authentication token manipulation error

[root@rhel6-1 ~]# passwd adtestuser5@ADTESTDOM.COM
Changing password for user adtestuser5@ADTESTDOM.COM.
passwd: Authentication token manipulation error

How reproducible:
always as far as I can tell.

Steps to Reproduce:
1.  Setup IPA Master
2.  Setup AD Server
3.  Setup trust with ipa-adtrust-install; ipa trust-add
4.  Log in as AD user on IPA client (can be master)
5.  run passwd to try to change the user's password.
  
Actual results:
password change fails

Expected results:
password change succeeds.

Additional info:
Comment 3 Sumit Bose 2012-10-26 04:50:04 EDT
I changed the component to sssd because ipa is not involved here.
Comment 4 Dmitri Pal 2012-11-01 09:43:02 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1615
Comment 6 Steeve Goveas 2013-01-31 09:06:56 EST
    [root@ibm-x3500m4-01 ~]# ipa trust-find
    ---------------
    1 trust matched
    ---------------
      Realm name: adlab.qe
      Domain NetBIOS name: ADLAB
      Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477
      Trust type: Active Directory domain
    ----------------------------
    Number of entries returned 1
    ----------------------------
     
* Following methods are not supported to change AD user password
     
    [root@ibm-x3500m4-01 ~]# kinit Administrator@ADLAB.QE
    Password for Administrator@ADLAB.QE:
     
    [root@ibm-x3500m4-01 ~]# passwd fuser@ADLAB.QE
    Changing password for user fuser@ADLAB.QE.
    Password reset by root is not supported.
    passwd: Authentication token manipulation error
     
    [root@ibm-x3500m4-01 ~]# passwd fuser@adlab.qe
    Changing password for user fuser@adlab.qe.
    Password reset by root is not supported.
    passwd: Authentication token manipulation error
 
* ipa passwd is used only for IPA users not for AD users
    
    [root@ibm-x3500m4-01 ~]# kinit admin
    Password for admin@TESTRELM.COM:
     
    [root@ibm-x3500m4-01 ~]# ipa passwd fuser@ADLAB.QE
    ipa: ERROR: The realm for the principal does not match the realm for this IPA server
     
    [root@ibm-x3500m4-01 ~]# ipa passwd fuser@adlab.qe
    ipa: ERROR: The realm for the principal does not match the realm for this IPA server 


* Only passwd cmd executed from AD user is supported
(Note: GPO password minimum age policy setting can be modified from 1 to 0 for testing purpose as done in this case)

[root@ibm-x3500m4-01 ~]# ssh -l nuser1@adlab.qe ibm-x3500m4-01.testrelm.com
nuser1@adlab.qe@ibm-x3500m4-01.testrelm.com's password: 
Your password will expire in 41 day(s)
Could not chdir to home directory /home/adlab.qe/nuser1: No such file or directory
-sh-4.1$ passwd
Changing password for user nuser1@adlab.qe.
Current Password: 
New password: 
Retype new password: 
Your password will expire in 42 day(s).
passwd: all authentication tokens updated successfully.


Verified in version ipa-server-3.0.0-24.el6.x86_64 and sssd-1.9.2-82.el6.x86_64
Comment 7 errata-xmlrpc 2013-02-21 04:38:49 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.