[Freeipa-users] passwd: Authentication token manipulation error

Dmitri Pal dpal at redhat.com
Mon Nov 19 23:31:46 UTC 2012 

On 11/19/2012 05:51 PM, Marcello Giannoni UCLA wrote:
>
> Hi THis morning I was asked to reset the user password of one of our
> IPA/LDAP user accounts.
>
>  
>
> After I reset the password I tried to logon to a particular ssh machine .
>
> The system asked to cheange the password as expeceted.
>
> I entered the NEw Password and the Re enter the the new password after
> this the system answered with:
>
>  
>
> passwd: Authentication token manipulation error
>
>  
>  
>
> So in order to test this situation I created a new account and I had
> the same problem with the new account.
>
> I try also to reset another user password and I got the same problem.
>
>  
>
> It seems that I'm not be able to reset anybody user password.
>
>  
>
> Any ideas????
>
>  
>
> From the krb5kdc.log
>
> I get : Nov 19 14:35:31 ldap.webdom.lifesci.ucla.edu
> krb5kdc[1610](info): AS_REQ (4 etypes {18 17 16 23}) 164.67.110.65:
> PREAUTH_FAILED: taccount at myserver.com <mailto:taccount at myserver.com>
> for kadmin/changepw at myserver.com
> <mailto:kadmin/changepw at myserver.com>, Decrypt integrity check failed
>
>  
>
> from the /var/lib/dirsrv/slapd-server.com/errors file I get:
>
> ipapwd_setPasswordHistory - [file ipapwd_common.c, line 926]: failed
> to generate new password history!
> [19/Nov/2012:14:35:40 -0800] managed-entries-plugin - mep_mod_post_op:
> Unable to find config for origin entry
> "uid=taccount,cn=users,cn=accounts,dc=myserver,dc=com".
>
>  
>  
>
> Any idea on what's going on?
>

Something is really mis configured on the server.
When the user tries to change password his password policy needs to be
read from lDAP. Password policy depends on the groups the user is a
member of so effectively the policy is merged from different policies.
That merge is failing because the DS plugin configuration is missing.

Does this happen on all your replicas?
If not and other replicas that you have work correctly, I would suggest
considering re-installation of the current replica. But to make it work,
I suggest you ask JR on #freeipa for exact steps as he has a lot of
expertise on recycling replicas.


>  
>
> Thank you
>
> Marcello
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121119/0643694f/attachment.htm>

More information about the Freeipa-users mailing list