Bug 870238 – IPA client cannot change AD Trusted User password

Bug 870238 - IPA client cannot change AD Trusted User password

Summary:	IPA client cannot change AD Trusted User password

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd (Show other bugs)
Sub Component:
Version:	6.4
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	881827
	Show dependency tree / graph

Reported:	2012-10-25 17:34 EDT by Scott Poore
Modified:	2015-09-29 03:14 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:	sssd-1.9.2-24.el6
Doc Type:	Bug Fix
Doc Text:	No Documentation Needed
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-02-21 04:38:49 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Scott Poore 2012-10-25 17:34:42 EDT

Description of problem:

I can't seem to change an AD Trusted User's Password from an IPA client.  If I setup a trust on IPA env to AD domain, I would expect to be able to change passwords.

Version-Release number of selected component (if applicable):
[root@rhel6-1 ~]# rpm -q ipa-server-trust-ad
ipa-server-trust-ad-3.0.0-105.20121019T0244zgita5684b0.el6.x86_64
[root@rhel6-1 ~]# rpm -q ipa-server
ipa-server-3.0.0-105.20121019T0244zgita5684b0.el6.x86_64

-sh-4.1$ passwd
Changing password for user adtestuser5@adtestdom.com.
Current Password:
passwd: Authentication token manipulation error

-sh-4.1$ exit
logout
Connection to rhel6-1.testrelm.com closed.

[root@rhel6-1 ~]# tail -3 /var/log/secure
Oct 25 17:22:28 rhel6-1 passwd: pam_unix(passwd:chauthtok): user "adtestuser5@adtestdom.com" does not exist in /etc/passwd
Oct 25 17:22:32 rhel6-1 passwd: pam_sss(passwd:chauthtok): Authentication failed for user adtestuser5@adtestdom.com: 4 (System error)
Oct 25 17:23:36 rhel6-1 sshd[11248]: pam_unix(sshd:session): session closed for user adtestuser5@adtestdom.com

[root@rhel6-1 ~]# kinit Administrator@ADTESTDOM.COM
Password for Administrator@ADTESTDOM.COM: 

[root@rhel6-1 ~]# passwd adtestuser5@adtestdom.com
Changing password for user adtestuser5@adtestdom.com.
passwd: Authentication token manipulation error

[root@rhel6-1 ~]# passwd adtestuser5@ADTESTDOM.COM
Changing password for user adtestuser5@ADTESTDOM.COM.
passwd: Authentication token manipulation error

How reproducible:
always as far as I can tell.

Steps to Reproduce:
1.  Setup IPA Master
2.  Setup AD Server
3.  Setup trust with ipa-adtrust-install; ipa trust-add
4.  Log in as AD user on IPA client (can be master)
5.  run passwd to try to change the user's password.
  
Actual results:
password change fails

Expected results:
password change succeeds.

Additional info:

Comment 3 Sumit Bose 2012-10-26 04:50:04 EDT

I changed the component to sssd because ipa is not involved here.

Comment 4 Dmitri Pal 2012-11-01 09:43:02 EDT

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1615

Comment 6 Steeve Goveas 2013-01-31 09:06:56 EST

    [root@ibm-x3500m4-01 ~]# ipa trust-find
    ---------------
    1 trust matched
    ---------------
      Realm name: adlab.qe
      Domain NetBIOS name: ADLAB
      Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477
      Trust type: Active Directory domain
    ----------------------------
    Number of entries returned 1
    ----------------------------
     
* Following methods are not supported to change AD user password
     
    [root@ibm-x3500m4-01 ~]# kinit Administrator@ADLAB.QE
    Password for Administrator@ADLAB.QE:
     
    [root@ibm-x3500m4-01 ~]# passwd fuser@ADLAB.QE
    Changing password for user fuser@ADLAB.QE.
    Password reset by root is not supported.
    passwd: Authentication token manipulation error
     
    [root@ibm-x3500m4-01 ~]# passwd fuser@adlab.qe
    Changing password for user fuser@adlab.qe.
    Password reset by root is not supported.
    passwd: Authentication token manipulation error
 
* ipa passwd is used only for IPA users not for AD users
    
    [root@ibm-x3500m4-01 ~]# kinit admin
    Password for admin@TESTRELM.COM:
     
    [root@ibm-x3500m4-01 ~]# ipa passwd fuser@ADLAB.QE
    ipa: ERROR: The realm for the principal does not match the realm for this IPA server
     
    [root@ibm-x3500m4-01 ~]# ipa passwd fuser@adlab.qe
    ipa: ERROR: The realm for the principal does not match the realm for this IPA server 


* Only passwd cmd executed from AD user is supported
(Note: GPO password minimum age policy setting can be modified from 1 to 0 for testing purpose as done in this case)

[root@ibm-x3500m4-01 ~]# ssh -l nuser1@adlab.qe ibm-x3500m4-01.testrelm.com
nuser1@adlab.qe@ibm-x3500m4-01.testrelm.com's password: 
Your password will expire in 41 day(s)
Could not chdir to home directory /home/adlab.qe/nuser1: No such file or directory
-sh-4.1$ passwd
Changing password for user nuser1@adlab.qe.
Current Password: 
New password: 
Retype new password: 
Your password will expire in 42 day(s).
passwd: all authentication tokens updated successfully.


Verified in version ipa-server-3.0.0-24.el6.x86_64 and sssd-1.9.2-82.el6.x86_64

Comment 7 errata-xmlrpc 2013-02-21 04:38:49 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.