[Freeipa-users] User's Cannot Reset Expire Passwords Without Password Being Reset First in WebUI

Chris Natter chris.natter at destinationrewards.com
Wed Jan 2 22:47:40 UTC 2013 

Hello,

My users are running into a bit of a problem with password expiry and
the reset prompts.

When they attempt to reset their password they end up recieving access
denied messages after going through the prompts to reset their password
and entering their new desired passwords.

The interesting thing is that if I reset the password via the Web UI to anything,
and then have the user try again with the new password, they are able to 
successfully reset their password with no issues.

Log snippets are below, I've sanitized them so the user in question is 'juser'.

Any help or guidance would be very appreciated. Thank you!

sshd[26945]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.20.1.108  user=juser
sshd[26945]: pam_sss(sshd:auth): system info: [Password has expired]
sshd[26945]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.20.1.108 user=juser
sshd[26945]: pam_sss(sshd:auth): received for user juser: 12 (Authentication token is no longer valid; new one required)
sshd[26945]: pam_sss(sshd:account): User info message: Password expired. Change your password now.
sshd[26945]: pam_unix(sshd:chauthtok): user "juser" does not exist in /etc/passwd
sshd[26945]: pam_unix(sshd:chauthtok): user "juser" does not exist in /etc/passwd
sshd[26945]: pam_sss(sshd:chauthtok): system info: [Generic error (see e-text)]
sshd[26945]: pam_sss(sshd:chauthtok): User info message: Password change failed. Server message: Password change rejected
sshd[26945]: pam_sss(sshd:chauthtok): Password change failed for user juser: 20 (Authentication token manipulation error)
sshd[26977]: pam_unix(sshd:auth): conversation failed
sshd[26977]: pam_unix(sshd:auth): auth could not identify password for [juser]
sshd[26977]: pam_sss(sshd:auth): system info: [Cannot read password]
sshd[26977]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.22.1.108 user=juser
sshd[26977]: pam_sss(sshd:auth): received for user juser: 4 (System error)
sshd[26977]: error: ssh_msg_send: write

[[sssd[krb5_child[26452]]]] [validate_tgt] (5): TGT verified using key for [host/devbox3.lnx.foo.local at LNX.FOO.LOCAL].
[[sssd[krb5_child[26949]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
[[sssd[krb5_child[26949]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_LIFETIME] from environment.
[[sssd[krb5_child[26949]]]] [sss_krb5_get_init_creds_opt_set_expire_callback] (5): krb5_get_init_creds_opt_set_expire_callback not available.
[[sssd[krb5_child[26949]]]] [get_and_save_tgt] (1): 721: [-1765328361][Password has expired]
[[sssd[krb5_child[26949]]]] [sss_krb5_get_init_creds_opt_set_expire_callback] (5): krb5_get_init_creds_opt_set_expire_callback not available.
[[sssd[krb5_child[26949]]]] [tgt_req_child] (1): 980: [-1765328361][Password has expired]
[[sssd[krb5_child[26958]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
[[sssd[krb5_child[26958]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_LIFETIME] from environment.
[[sssd[krb5_child[26976]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
[[sssd[krb5_child[26976]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_LIFETIME] from environment.
[[sssd[krb5_child[26976]]]] [changepw_child] (1): krb5_change_password failed [4][Password change rejected].

krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: CLIENT KEY EXPIRED: juser at LNX.FOO.LOCAL for krbtgt/LNX.FOO.LOCAL at LNX.FOO.LOCAL, Password has expired
krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: NEEDED_PREAUTH: juser at LNX.FOO.LOCAL for kadmin/changepw at LNX.FOO.LOCAL, Additional pre-authentication required
krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: ISSUE: authtime 1357163914, etypes {rep=18 tkt=18 ses=18}, juser at LNX.FOO.LOCAL for kadmin/changepw at LNX.FOO.LOCAL
krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: NEEDED_PREAUTH: juser at LNX.FOO.LOCAL for kadmin/changepw at LNX.FOO.LOCAL, Additional pre-authentication required
krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: ISSUE: authtime 1357163921, etypes {rep=18 tkt=18 ses=18}, juser at LNX.FOO.LOCAL for kadmin/changepw at LNX.FOO.LOCAL
krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: NEEDED_PREAUTH: juser at LNX.FOO.LOCAL for kadmin/changepw at LNX.FOO.LOCAL, Additional pre-authentication required
krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: ISSUE: authtime 1357163949, etypes {rep=18 tkt=18 ses=18}, juser at LNX.FOO.LOCAL for kadmin/changepw at LNX.FOO.LOCAL
krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: CLIENT KEY EXPIRED: juser at LNX.FOO.LOCAL for krbtgt/LNX.FOO.LOCAL at LNX.FOO.LOCAL, Password has expired
krb5kdc[9594](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.120.100.100: NEEDED_PREAUTH: juser at LNX.FOO.LOCAL for kadmin/changepw at LNX.FOO.LOCAL, Additional pre-authentication required

More information about the Freeipa-users mailing list