[Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords

Andy Singleton Andy.Singleton at tipp24os.co.uk
Tue Mar 22 10:11:47 UTC 2011 

Hello,

 

I am trying to install a rhel6 machine with the ipa-1.2.2 client.

Everything appears to work fine, with the exception of updating users
passwords from the client.

 

>From the user perspective, I get this:

 

Changing password for user andytest.

Kerberos 5 Password: 

New password: 

Retype new password: 

passwd: Authentication token manipulation error

 

>From the local secure log, I see this:

 

Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
"andytest" does not exist in /etc/passwd

Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
"andytest" does not exist in /etc/passwd

Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change
failed for andytest at LIVE.TIPP24.NET: Cannot contact any KDC for
requested realm

 

There are no local or network firewalls between the client and the IPA
server, and every other piece of IPA functionality appears to work fine.

 

On the IPA server itself, I see this in krb5kdc:

Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth
type found: Success

Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andytest at LIVE.TIPP24.NET for
kadmin/changepw at LIVE.TIPP24.NET, Preauthentication failed

Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andytest at LIVE.TIPP24.NET for
kadmin/changepw at LIVE.TIPP24.NET, Additional pre-authentication required

Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18
tkt=18 ses=18}, andytest at LIVE.TIPP24.NET for
kadmin/changepw at LIVE.TIPP24.NET

 

nsswitch.conf has the usual stuff:

 

passwd:     files ldap

shadow:     files ldap

group:      files ldap

 

I'm not sure what else to check.

 

Andy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110322/3802df52/attachment.htm>

More information about the Freeipa-users mailing list