[Freeipa-devel] setting passwords stopped working

[Maxim Burgerhout]

Hi,

I have been implementing FreeIPA in a pilot environment in a
not-for-profit organisation I work for in my spare time (I'm telling
this so you won't think I'm mad for implementing this in an enterprise
production setting ;-)) . I found FreeIPA so promising I decided to
build a setup with it, work with it for a year or so and migrate to
IPA on CentOS, RHEL or something else, if we would evaluate the
product as good enough by then.

We ran into the can't-change-password problem last week and I'm happy
it was solved already. I installed the fixes I downloaded from the
site mentioned earlier, but after that I ran into 'Decrypt integrity
check failed' errors.

I have some new accounts with expired passwords for testing. When I
try to log into a client system with one of those accounts through
gdm, the console or ssh, I'm suppose to change the password. No matter
how I try to log in, the password change always fails. In the krb5kdc
logs on the IPA server I see 'decrypt integrity check failed' errors
for kadmin/changepw and the test user account. I had to leave in a
hurry, so I haven't got the exact message here, but hopefully this
helps a bit.

Anyway, I can set the password for an account by su'ing to it and then
running kinit: the password change through kinit works fine.

Most accounts of this error message Google shows me are about multiple
KDC's conflicting with eachother (I have only one), about principals
with kvno conflicts (which seems unlikely for a useraccount) or about
people typing the wrong password (which I'm really pretty sure is not
what is happening), so I thought I'ld drop it here: maybe one of you
can slap me around the ears with something completely obvious I failed
to configure :-) or else tell me to file a bugreport...

Max