Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 870238

Summary: IPA client cannot change AD Trusted User password
Product: Red Hat Enterprise Linux 6 Reporter: Scott Poore <spoore>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: abokovoy, grajaiya, jgalipea, mkosek, nsoman, pbrezina, sbose, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.2-24.el6 Doc Type: Bug Fix
Doc Text:
No Documentation Needed
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:38:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 881827    

Description Scott Poore 2012-10-25 21:34:42 UTC 
Description of problem:

I can't seem to change an AD Trusted User's Password from an IPA client.  If I setup a trust on IPA env to AD domain, I would expect to be able to change passwords.

Version-Release number of selected component (if applicable):
[root@rhel6-1 ~]# rpm -q ipa-server-trust-ad
ipa-server-trust-ad-3.0.0-105.20121019T0244zgita5684b0.el6.x86_64
[root@rhel6-1 ~]# rpm -q ipa-server
ipa-server-3.0.0-105.20121019T0244zgita5684b0.el6.x86_64

-sh-4.1$ passwd
Changing password for user adtestuser5.
Current Password:
passwd: Authentication token manipulation error

-sh-4.1$ exit
logout
Connection to rhel6-1.testrelm.com closed.

[root@rhel6-1 ~]# tail -3 /var/log/secure
Oct 25 17:22:28 rhel6-1 passwd: pam_unix(passwd:chauthtok): user "adtestuser5" does not exist in /etc/passwd
Oct 25 17:22:32 rhel6-1 passwd: pam_sss(passwd:chauthtok): Authentication failed for user adtestuser5: 4 (System error)
Oct 25 17:23:36 rhel6-1 sshd[11248]: pam_unix(sshd:session): session closed for user adtestuser5

[root@rhel6-1 ~]# kinit Administrator
Password for Administrator: 

[root@rhel6-1 ~]# passwd adtestuser5
Changing password for user adtestuser5.
passwd: Authentication token manipulation error

[root@rhel6-1 ~]# passwd adtestuser5
Changing password for user adtestuser5.
passwd: Authentication token manipulation error

How reproducible:
always as far as I can tell.

Steps to Reproduce:
1.  Setup IPA Master
2.  Setup AD Server
3.  Setup trust with ipa-adtrust-install; ipa trust-add
4.  Log in as AD user on IPA client (can be master)
5.  run passwd to try to change the user's password.
  
Actual results:
password change fails

Expected results:
password change succeeds.

Additional info:
Comment 3 Sumit Bose 2012-10-26 08:50:04 UTC 
I changed the component to sssd because ipa is not involved here.
Comment 4 Dmitri Pal 2012-11-01 13:43:02 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1615
Comment 6 Steeve Goveas 2013-01-31 14:06:56 UTC 
    [root@ibm-x3500m4-01 ~]# ipa trust-find
    ---------------
    1 trust matched
    ---------------
      Realm name: adlab.qe
      Domain NetBIOS name: ADLAB
      Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477
      Trust type: Active Directory domain
    ----------------------------
    Number of entries returned 1
    ----------------------------
     
* Following methods are not supported to change AD user password
     
    [root@ibm-x3500m4-01 ~]# kinit Administrator
    Password for Administrator:
     
    [root@ibm-x3500m4-01 ~]# passwd fuser
    Changing password for user fuser.
    Password reset by root is not supported.
    passwd: Authentication token manipulation error
     
    [root@ibm-x3500m4-01 ~]# passwd fuser
    Changing password for user fuser.
    Password reset by root is not supported.
    passwd: Authentication token manipulation error
 
* ipa passwd is used only for IPA users not for AD users
    
    [root@ibm-x3500m4-01 ~]# kinit admin
    Password for admin:
     
    [root@ibm-x3500m4-01 ~]# ipa passwd fuser
    ipa: ERROR: The realm for the principal does not match the realm for this IPA server
     
    [root@ibm-x3500m4-01 ~]# ipa passwd fuser
    ipa: ERROR: The realm for the principal does not match the realm for this IPA server 


* Only passwd cmd executed from AD user is supported
(Note: GPO password minimum age policy setting can be modified from 1 to 0 for testing purpose as done in this case)

[root@ibm-x3500m4-01 ~]# ssh -l nuser1 ibm-x3500m4-01.testrelm.com
nuser1@ibm-x3500m4-01.testrelm.com's password: 
Your password will expire in 41 day(s)
Could not chdir to home directory /home/adlab.qe/nuser1: No such file or directory
-sh-4.1$ passwd
Changing password for user nuser1.
Current Password: 
New password: 
Retype new password: 
Your password will expire in 42 day(s).
passwd: all authentication tokens updated successfully.


Verified in version ipa-server-3.0.0-24.el6.x86_64 and sssd-1.9.2-82.el6.x86_64
Comment 7 errata-xmlrpc 2013-02-21 09:38:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html