RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 870238 - IPA client cannot change AD Trusted User password
Summary: IPA client cannot change AD Trusted User password
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 881827
TreeView+ depends on / blocked
 
Reported: 2012-10-25 21:34 UTC by Scott Poore
Modified: 2020-05-02 17:04 UTC (History)
8 users (show)

Fixed In Version: sssd-1.9.2-24.el6
Doc Type: Bug Fix
Doc Text:
No Documentation Needed
Clone Of:
Environment:
Last Closed: 2013-02-21 09:38:49 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2657 0 None None None 2020-05-02 17:04:05 UTC
Red Hat Product Errata RHSA-2013:0508 0 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Scott Poore 2012-10-25 21:34:42 UTC 
Description of problem:

I can't seem to change an AD Trusted User's Password from an IPA client.  If I setup a trust on IPA env to AD domain, I would expect to be able to change passwords.

Version-Release number of selected component (if applicable):
[root@rhel6-1 ~]# rpm -q ipa-server-trust-ad
ipa-server-trust-ad-3.0.0-105.20121019T0244zgita5684b0.el6.x86_64
[root@rhel6-1 ~]# rpm -q ipa-server
ipa-server-3.0.0-105.20121019T0244zgita5684b0.el6.x86_64

-sh-4.1$ passwd
Changing password for user adtestuser5.
Current Password:
passwd: Authentication token manipulation error

-sh-4.1$ exit
logout
Connection to rhel6-1.testrelm.com closed.

[root@rhel6-1 ~]# tail -3 /var/log/secure
Oct 25 17:22:28 rhel6-1 passwd: pam_unix(passwd:chauthtok): user "adtestuser5" does not exist in /etc/passwd
Oct 25 17:22:32 rhel6-1 passwd: pam_sss(passwd:chauthtok): Authentication failed for user adtestuser5: 4 (System error)
Oct 25 17:23:36 rhel6-1 sshd[11248]: pam_unix(sshd:session): session closed for user adtestuser5

[root@rhel6-1 ~]# kinit Administrator
Password for Administrator: 

[root@rhel6-1 ~]# passwd adtestuser5
Changing password for user adtestuser5.
passwd: Authentication token manipulation error

[root@rhel6-1 ~]# passwd adtestuser5
Changing password for user adtestuser5.
passwd: Authentication token manipulation error

How reproducible:
always as far as I can tell.

Steps to Reproduce:
1.  Setup IPA Master
2.  Setup AD Server
3.  Setup trust with ipa-adtrust-install; ipa trust-add
4.  Log in as AD user on IPA client (can be master)
5.  run passwd to try to change the user's password.
  
Actual results:
password change fails

Expected results:
password change succeeds.

Additional info:
Comment 3 Sumit Bose 2012-10-26 08:50:04 UTC 
I changed the component to sssd because ipa is not involved here.
Comment 4 Dmitri Pal 2012-11-01 13:43:02 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1615
Comment 6 Steeve Goveas 2013-01-31 14:06:56 UTC 
    [root@ibm-x3500m4-01 ~]# ipa trust-find
    ---------------
    1 trust matched
    ---------------
      Realm name: adlab.qe
      Domain NetBIOS name: ADLAB
      Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477
      Trust type: Active Directory domain
    ----------------------------
    Number of entries returned 1
    ----------------------------
     
* Following methods are not supported to change AD user password
     
    [root@ibm-x3500m4-01 ~]# kinit Administrator
    Password for Administrator:
     
    [root@ibm-x3500m4-01 ~]# passwd fuser
    Changing password for user fuser.
    Password reset by root is not supported.
    passwd: Authentication token manipulation error
     
    [root@ibm-x3500m4-01 ~]# passwd fuser
    Changing password for user fuser.
    Password reset by root is not supported.
    passwd: Authentication token manipulation error
 
* ipa passwd is used only for IPA users not for AD users
    
    [root@ibm-x3500m4-01 ~]# kinit admin
    Password for admin:
     
    [root@ibm-x3500m4-01 ~]# ipa passwd fuser
    ipa: ERROR: The realm for the principal does not match the realm for this IPA server
     
    [root@ibm-x3500m4-01 ~]# ipa passwd fuser
    ipa: ERROR: The realm for the principal does not match the realm for this IPA server 


* Only passwd cmd executed from AD user is supported
(Note: GPO password minimum age policy setting can be modified from 1 to 0 for testing purpose as done in this case)

[root@ibm-x3500m4-01 ~]# ssh -l nuser1 ibm-x3500m4-01.testrelm.com
nuser1@ibm-x3500m4-01.testrelm.com's password: 
Your password will expire in 41 day(s)
Could not chdir to home directory /home/adlab.qe/nuser1: No such file or directory
-sh-4.1$ passwd
Changing password for user nuser1.
Current Password: 
New password: 
Retype new password: 
Your password will expire in 42 day(s).
passwd: all authentication tokens updated successfully.


Verified in version ipa-server-3.0.0-24.el6.x86_64 and sssd-1.9.2-82.el6.x86_64
Comment 7 errata-xmlrpc 2013-02-21 09:38:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html
Note You need to log in before you can comment on or make changes to this bug.