[Freeipa-users] User Migrated from LDAP not able to change the password

[Martin Kosek]

On 02/08/2013 07:43 AM, Rajnesh Kumar Siwal wrote:
> We migrated the users from openldap to IPA.
> We are getting the following error after the User has been migrated
> (after he changes the password through https://ipa1/ipa/migration/)
> and he tries to change passwd :-
> Account is not locked and Kerberos credentials seems to be present
> (created by ipa/migration)
> 
> $ ssh siwal at 1.1.1.1
> siwal at 172.31.254.204's password:
> Warning: Your password will expire in less than one hour.
> Password expired. Change your password now.
> Last login: Fri Feb  8 09:28:41 2013 from 1.1.1.2
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user siwal
> Current Password:
> passwd: Authentication token manipulation error
> Connection to 1.1.1.1 closed.
> --------------------------------------------------------------------------------
> # ipa user-status siwal
> -----------------------
> Account disabled: False
> -----------------------
>   Server: ipa1.xyz.dmz
>   Failed logins: 0
>   Last successful authentication: 2013-02-08T03:59:29Z
>   Last failed authentication: N/A
>   Time now: 2013-02-08T06:40:18Z
> 
>   Server: ipa2.xyz.dmz
>   Failed logins: 1
>   Last successful authentication: 2013-02-08T03:59:20Z
>   Last failed authentication: 2013-02-08T03:59:33Z
>   Time now: 2013-02-08T06:40:18Z
> ----------------------------
> Number of entries returned 2
> ----------------------------
> # ipa user-show vinay
>   User login: siwal
>   Home directory: /home/siwal
>   Login shell: /bin/bash
>   UID: 522
>   GID: 522
>   Account disabled: False
>   Password: True
>   Kerberos keys available: True
> 

Hello Rajnesh,

can you show your user password policy?

# ipa pwpolicy-show

I would be also interested to see full user record after the authentication
failure:

# ipa user-show siwal --all --raw

krb* attributes and others may give us some hint what's wrong.

Martin