[Freeipa-users] User passwords expired
Simo Sorce
ssorce at redhat.com
Sat Jul 11 20:21:02 UTC 2009
On Sat, 2009-07-11 at 14:41 -0500, David Christensen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Simo Sorce wrote:
> > On Fri, 2009-07-10 at 17:16 -0500, David Christensen wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Every user I add is indicated as their password being expired, assuming
> >> this is normal and this forces users to create their own password when
> >> they first log in (not sure) I tried logging in as a test user.
> >
> > See: http://freeipa.org/page/NewPasswordsExpired
> >
> >> I was prompted with the expired password update now and attempted to do
> >> so. When I tried to change the password I got an error: kinit(v5)
> >> password change failed while getting initial credentials.
> >>
> >> What is this error telling me?
> >
> > Is ipa-kpasswd running on your IPA Server ?
> > Do you see errors in /var/log/krb5kdc.log on the server ?
> >
> >> I tried changing the password for the user via the UI but the account is
> >> still indicated as password expired.
> >
> > Expected, see the doc above.
> >
> > Simo.
> >
> Simo,
>
> This is a sample of the log file for the test user I have been using:
> 1 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 192.168.155.21: CLIENT KEY EXPIRED:
> davidc at EXAMPLE.CO M for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Password
> has expired
> 2 103 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH:
> davidc at EXAMPLE.CO M for kadmin/changepw at EXAMPLE.COM, Additional
> pre-authentication required
> 3 104 Jul 10 17:34:22 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265262,
> etype s {re p=18 tkt=18 ses=18}, davidc at EXAMPLE.COM for
> kadmin/changepw at EXAMPLE.COM
> 4 105 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH:
> kadmin/changepw at E XAMPLE .COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM,
> Additional pre-authentication required
> 5 106 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265271,
> etype s {re p=18 tkt=18 ses=18}, kadmin/changepw at EXAMPLE.COM for
> krbtgt/EXAMPLE.COM at EXAMPLE.COM
> 6 107 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): TGS_REQ
> (7 etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime
> 1247265271, etyp es {r ep=18 tkt=18 ses=18},
> kadmin/changepw at EXAMPLE.COM for ldap/ipa1.example.com at EXAMPLE.COM
>
> I verified that ipa_kpasswd is indeed running.
This sequence seem also to indicate that ipa-kpasswd is actually
attempting the password change (see kadmin/changepw getting a ticket for
the ldap server).
I wonder if this is just a timeout issue as it strangely took 9 seconds
between kinit getting a ticket and ipa-kpasswd starting to perform a
password change. So presumably the whole operation took more.
If you "time" kinit how long does it take to return the error ?
If you re-run kinit what do you get ?
Does it accept the old password or does it require the new one to
succeed ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list