[Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords
Andy Singleton
Andy.Singleton at tipp24os.co.uk
Tue Mar 22 10:11:47 UTC 2011
Hello,
I am trying to install a rhel6 machine with the ipa-1.2.2 client.
Everything appears to work fine, with the exception of updating users
passwords from the client.
>From the user perspective, I get this:
Changing password for user andytest.
Kerberos 5 Password:
New password:
Retype new password:
passwd: Authentication token manipulation error
>From the local secure log, I see this:
Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
"andytest" does not exist in /etc/passwd
Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
"andytest" does not exist in /etc/passwd
Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change
failed for andytest at LIVE.TIPP24.NET: Cannot contact any KDC for
requested realm
There are no local or network firewalls between the client and the IPA
server, and every other piece of IPA functionality appears to work fine.
On the IPA server itself, I see this in krb5kdc:
Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth
type found: Success
Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andytest at LIVE.TIPP24.NET for
kadmin/changepw at LIVE.TIPP24.NET, Preauthentication failed
Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andytest at LIVE.TIPP24.NET for
kadmin/changepw at LIVE.TIPP24.NET, Additional pre-authentication required
Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18
tkt=18 ses=18}, andytest at LIVE.TIPP24.NET for
kadmin/changepw at LIVE.TIPP24.NET
nsswitch.conf has the usual stuff:
passwd: files ldap
shadow: files ldap
group: files ldap
I'm not sure what else to check.
Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110322/3802df52/attachment.htm>
More information about the Freeipa-users
mailing list