[Freeipa-devel] setting passwords stopped working

Maxim Burgerhout maxim at wzzrd.com
Wed Jun 25 08:22:33 UTC 2008 

Hi,

I have been implementing FreeIPA in a pilot environment in a
not-for-profit organisation I work for in my spare time (I'm telling
this so you won't think I'm mad for implementing this in an enterprise
production setting ;-)) . I found FreeIPA so promising I decided to
build a setup with it, work with it for a year or so and migrate to
IPA on CentOS, RHEL or something else, if we would evaluate the
product as good enough by then.

We ran into the can't-change-password problem last week and I'm happy
it was solved already. I installed the fixes I downloaded from the
site mentioned earlier, but after that I ran into 'Decrypt integrity
check failed' errors.

I have some new accounts with expired passwords for testing. When I
try to log into a client system with one of those accounts through
gdm, the console or ssh, I'm suppose to change the password. No matter
how I try to log in, the password change always fails. In the krb5kdc
logs on the IPA server I see 'decrypt integrity check failed' errors
for kadmin/changepw and the test user account. I had to leave in a
hurry, so I haven't got the exact message here, but hopefully this
helps a bit.

Anyway, I can set the password for an account by su'ing to it and then
running kinit: the password change through kinit works fine.

Most accounts of this error message Google shows me are about multiple
KDC's conflicting with eachother (I have only one), about principals
with kvno conflicts (which seems unlikely for a useraccount) or about
people typing the wrong password (which I'm really pretty sure is not
what is happening), so I thought I'ld drop it here: maybe one of you
can slap me around the ears with something completely obvious I failed
to configure :-) or else tell me to file a bugreport...

Max


On 25/06/2008, Matt Flusche <matt.flusche at cox.net> wrote:
> This is the same issue I reported on 5/31... Never heard much feedback.
> Glad it's being addressed so I can continue testing.
>
> Thanks,
>
> Matt
>
> On Jun 23, 2008, at 4:14 PM, Simo Sorce wrote:
>
> > On Mon, 2008-06-23 at 20:45 +0100, Matt Bernstein wrote:
> >
> > > It's up-to-date F9 x86_64:
> > >
> > > # ldd /usr/sbin/ipa_kpasswd
> > >        linux-vdso.so.1 =>  (0x00007fffa41fe000)
> > >        libssldap60.so => /usr/lib64/libssldap60.so
> > > (0x0000000000607000)
> > >        libprldap60.so => /usr/lib64/libprldap60.so
> > > (0x0000000000813000)
> > >        libldap60.so => /usr/lib64/libldap60.so (0x0000000000a18000)
> > >        libssl3.so => /lib64/libssl3.so (0x0000000000c50000)
> > >        libsmime3.so => /lib64/libsmime3.so (0x0000000000e82000)
> > >        libnss3.so => /lib64/libnss3.so (0x00000000046ec000)
> > >        libnssutil3.so => /lib64/libnssutil3.so (0x00000000025e4000)
> > >        libplds4.so => /lib64/libplds4.so (0x000000000230c000)
> > >        libplc4.so => /lib64/libplc4.so (0x00000000010ad000)
> > >        libnspr4.so => /lib64/libnspr4.so (0x0000000002948000)
> > >        libpthread.so.0 => /lib64/libpthread.so.0 (0x00000000012b1000)
> > >        libdl.so.2 => /lib64/libdl.so.2 (0x00000000014cc000)
> > >        libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00007fcd9bdff000)
> > >        libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3
> > > (0x00007fcd9bbda000)
> > >        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fcd9b9d7000)
> > >        libc.so.6 => /lib64/libc.so.6 (0x00007fcd9b66b000)
> > >        libsoftokn3.so => /lib64/libsoftokn3.so (0x00007fcd9b431000)
> > >        libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007fcd9b216000)
> > >        /lib64/ld-linux-x86-64.so.2 (0x0000000000110000)
> > >        libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0
> > > (0x00007fcd9b00e000)
> > >        libkeyutils.so.1 => /lib64/libkeyutils.so.1
> > > (0x00007fcd9ae0b000)
> > >        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fcd9abf6000)
> > >        libsqlite3.so.0 => /usr/lib64/libsqlite3.so.0
> > > (0x00007fcd9a987000)
> > >        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fcd9a74e000)
> > >        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fcd9a532000)
> > >
> > > Let me know if there's anything else I can offer.
> > >
> >
> > This was to confirm my suspicions while I was updating my F9 machine.
> > The problem seem to show up when compiling against mozldap libraries, I
> > reproduced the test and then rebuilt packages linking against openldap
> > libraries instead. that fixed it, apparently.
> >
> > I am going to rebuild all Fedora packages against openldap libs until we
> > find out why mozldap libs do not work for us.
> >
> > Thanks very much for the report.
> >
> > Simo.
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >
> > _______________________________________________
> > Freeipa-devel mailing list
> > Freeipa-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
> >
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>


-- 
Maxim Burgerhout
maxim at wzzrd.com
----------------
My public key:
http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0xACA34452

More information about the Freeipa-devel mailing list