[Freeipa-users] Mountain Lion GUI Login

Dmitri Pal dpal at redhat.com
Wed Aug 7 22:42:57 UTC 2013 

On 08/07/2013 05:33 PM, Davis Goodman wrote:
> This is basically the log when I attempt to change the password:
>
> Aug  7 16:59:19 mactestvm.mtl.dd.net SecurityAgent[271]: *** WARNING: -[NSImage compositeToPoint:operation:fraction:] is deprecated in MacOSX 10.8 and later. Please use -[NSImage drawAtPoint:fromRect:operation:fraction:] instead.
> Aug  7 16:59:19 mactestvm.mtl.dd.net SecurityAgent[271]: *** WARNING: -[NSImage compositeToPoint:fromRect:operation:fraction:] is deprecated in MacOSX 10.8 and later. Please use -[NSImage drawAtPoint:fromRect:operation:fraction:] instead.
> Aug  7 16:59:26 mactestvm.mtl.dd.net SecurityAgent[271]: User info context values set for testuser2
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got user: testuser2
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got ruser: (null)
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got service: authorization
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Context initialised
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Stashing kcm credentials in enviroment for kcminit: testuser2
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got user: testuser2
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got ruser: (null)
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got service: authorization
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Context initialised
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Created principal: testuser2
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done krb5_parse_name()
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got principal: testuser2 at DD.NET
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got password
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done getpwnam()
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Attempting to get forwardable TGT.
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: krb5_sendto_context is called on main thread, its a blocking api
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Attempting to get non-forwardable TGT.
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Kerberos 5 error
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Error krb5_get_init_creds_password(): Password has expired
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done cleanup2
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done cleanup3
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Kerberos 5 refuses you
This is where it should behave differently.
It should treat this not as a failure but prompt for password change
when such error is returned.
I would check OSX forums on how to enable password change in UI

> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): pam_sm_authenticate: ntlm
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): OpenDirectory - The authtok is expired or requires updating.
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800.
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_acct_mgmt(): OpenDirectory - Password expired.
> Aug  7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: Failed to authenticate user <testuser2> (error: 10).
> Aug  7 16:59:43 mactestvm.mtl.dd.net WindowServer[97]: 3891612: App SecurityAgent cannot order in untagged windows before login.
> Aug  7 16:59:43 mactestvm.mtl.dd.net SecurityAgent[271]: CGSOrderWindowList
>
> Does this rings a bell?
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list