Hide Forgot
Description of problem: I can't seem to change an AD Trusted User's Password from an IPA client. If I setup a trust on IPA env to AD domain, I would expect to be able to change passwords. Version-Release number of selected component (if applicable): [root@rhel6-1 ~]# rpm -q ipa-server-trust-ad ipa-server-trust-ad-3.0.0-105.20121019T0244zgita5684b0.el6.x86_64 [root@rhel6-1 ~]# rpm -q ipa-server ipa-server-3.0.0-105.20121019T0244zgita5684b0.el6.x86_64 -sh-4.1$ passwd Changing password for user adtestuser5. Current Password: passwd: Authentication token manipulation error -sh-4.1$ exit logout Connection to rhel6-1.testrelm.com closed. [root@rhel6-1 ~]# tail -3 /var/log/secure Oct 25 17:22:28 rhel6-1 passwd: pam_unix(passwd:chauthtok): user "adtestuser5" does not exist in /etc/passwd Oct 25 17:22:32 rhel6-1 passwd: pam_sss(passwd:chauthtok): Authentication failed for user adtestuser5: 4 (System error) Oct 25 17:23:36 rhel6-1 sshd[11248]: pam_unix(sshd:session): session closed for user adtestuser5 [root@rhel6-1 ~]# kinit Administrator Password for Administrator: [root@rhel6-1 ~]# passwd adtestuser5 Changing password for user adtestuser5. passwd: Authentication token manipulation error [root@rhel6-1 ~]# passwd adtestuser5 Changing password for user adtestuser5. passwd: Authentication token manipulation error How reproducible: always as far as I can tell. Steps to Reproduce: 1. Setup IPA Master 2. Setup AD Server 3. Setup trust with ipa-adtrust-install; ipa trust-add 4. Log in as AD user on IPA client (can be master) 5. run passwd to try to change the user's password. Actual results: password change fails Expected results: password change succeeds. Additional info:
I changed the component to sssd because ipa is not involved here.
Upstream ticket: https://fedorahosted.org/sssd/ticket/1615
[root@ibm-x3500m4-01 ~]# ipa trust-find --------------- 1 trust matched --------------- Realm name: adlab.qe Domain NetBIOS name: ADLAB Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ---------------------------- * Following methods are not supported to change AD user password [root@ibm-x3500m4-01 ~]# kinit Administrator Password for Administrator: [root@ibm-x3500m4-01 ~]# passwd fuser Changing password for user fuser. Password reset by root is not supported. passwd: Authentication token manipulation error [root@ibm-x3500m4-01 ~]# passwd fuser Changing password for user fuser. Password reset by root is not supported. passwd: Authentication token manipulation error * ipa passwd is used only for IPA users not for AD users [root@ibm-x3500m4-01 ~]# kinit admin Password for admin: [root@ibm-x3500m4-01 ~]# ipa passwd fuser ipa: ERROR: The realm for the principal does not match the realm for this IPA server [root@ibm-x3500m4-01 ~]# ipa passwd fuser ipa: ERROR: The realm for the principal does not match the realm for this IPA server * Only passwd cmd executed from AD user is supported (Note: GPO password minimum age policy setting can be modified from 1 to 0 for testing purpose as done in this case) [root@ibm-x3500m4-01 ~]# ssh -l nuser1 ibm-x3500m4-01.testrelm.com nuser1@ibm-x3500m4-01.testrelm.com's password: Your password will expire in 41 day(s) Could not chdir to home directory /home/adlab.qe/nuser1: No such file or directory -sh-4.1$ passwd Changing password for user nuser1. Current Password: New password: Retype new password: Your password will expire in 42 day(s). passwd: all authentication tokens updated successfully. Verified in version ipa-server-3.0.0-24.el6.x86_64 and sssd-1.9.2-82.el6.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0508.html