[Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords

Dmitri Pal dpal at redhat.com
Tue Mar 22 13:43:33 UTC 2011 

On 03/22/2011 06:11 AM, Andy Singleton wrote:
> Hello,
>
>  
>
> I am trying to install a rhel6 machine with the ipa-1.2.2 client.
>
> Everything appears to work fine, with the exception of updating users
> passwords from the client.
>
>  
>
> >From the user perspective, I get this:
>
>  
>
> Changing password for user andytest.
>
> Kerberos 5 Password: 
>
> New password: 
>
> Retype new password: 
>
> passwd: Authentication token manipulation error
>
>  
>
> >From the local secure log, I see this:
>
>  
>
> Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
> "andytest" does not exist in /etc/passwd
>
> Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
> "andytest" does not exist in /etc/passwd
>
> Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change
> failed for andytest at LIVE.TIPP24.NET: Cannot contact any KDC for
> requested realm
>
>  
>
> There are no local or network firewalls between the client and the IPA
> server, and every other piece of IPA functionality appears to work fine.
>
>  
>
> On the IPA server itself, I see this in krb5kdc:
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth
> type found: Success
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
> 17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andytest at LIVE.TIPP24.NET for
> kadmin/changepw at LIVE.TIPP24.NET, Preauthentication failed
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
> 17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andytest at LIVE.TIPP24.NET for
> kadmin/changepw at LIVE.TIPP24.NET, Additional pre-authentication required
>
> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
> 17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18
> tkt=18 ses=18}, andytest at LIVE.TIPP24.NET for
> kadmin/changepw at LIVE.TIPP24.NET
>
>  
>
> nsswitch.conf has the usual stuff:
>
>  
>
> passwd:     files ldap
>
> shadow:     files ldap
>
> group:      files ldap
>
>  
>
> I'm not sure what else to check.
>
>  
>
> Andy
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110322/a75f1b17/attachment.htm>

More information about the Freeipa-users mailing list