[Freeipa-users] can't reset password on fedora 13

[Stephen Gallagher]

On 06/06/2010 06:06 PM, James Po wrote:
> I've installed (from yum) on fedora 13, created a user but cannot ssh
> in as that user - it fails to reset the password.
>
> I've disabled iptables&  SELinux (for testing purposes) to no avail.
>
>
> macbook:~ james$ ssh bshit at 192.168.5.58
> bshit at 192.168.5.58's password:
> Warning: Your password will expire in less than one hour.
> Password expired. Change your password now.
> Last login: Sun Jun  6 22:25:17 2010 from 192.168.5.249
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user bshit.
> Current Password:
> New password:
> Retype new password:
> Warning: Your password will expire in less than one hour.
> Warning: Your password will expire in less than one hour.
> passwd: Authentication token manipulation error
> Connection to 192.168.5.58 closed.
>
>
> /var/log/secure:
>
> Jun  6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): system info:
> [Cannot contact any KDC for requested realm]
> Jun  6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): User info
> message: Warning: Your password will expire in less than one hour.
> Jun  6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): system info:
> [Cannot contact any KDC for requested realm]
> Jun  6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): User info
> message: Warning: Your password will expire in less than one hour.
> Jun  6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): Password change
> failed for user bshit: 22 (Authentication token lock busy)
> Jun  6 22:32:30 ipa passwd: gkr-pam: couldn't update the login keyring
> password: no old password was entered
> Jun  6 22:32:32 ipa sshd[1635]: pam_unix(sshd:session): session closed
> for user bshit
>
>
> /var/log/krb5kdc.log:
>
> Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): AS_REQ
> (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: NEEDED_PREAUTH:
> bshit at DEV.WEBSCALABILITY.COM for
> kadmin/changepw at DEV.WEBSCALABILITY.COM, Additional pre-authentication
> required
> Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): AS_REQ
> (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: ISSUE: authtime
> 1275859950, etypes {rep=18 tkt=18 ses=18},
> bshit at DEV.WEBSCALABILITY.COM for
> kadmin/changepw at DEV.WEBSCALABILITY.COM
> Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): AS_REQ
> (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: NEEDED_PREAUTH:
> bshit at DEV.WEBSCALABILITY.COM for
> kadmin/changepw at DEV.WEBSCALABILITY.COM, Additional pre-authentication
> required
> Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): AS_REQ
> (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: ISSUE: authtime
> 1275859950, etypes {rep=18 tkt=18 ses=18},
> bshit at DEV.WEBSCALABILITY.COM for
> kadmin/changepw at DEV.WEBSCALABILITY.COM


This looks like an error in the SSSD. Could you edit /etc/sssd/sssd.conf 
and change debug_level=0 to debug_level=9 and then try this again. Then 
examine /var/log/sssd/krb5_child.log and 
/var/log/sssd/sssd_<your_domain>.log for clues?

-- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/