On 08/07/2013 05:33 PM, Davis Goodman wrote: > This is basically the log when I attempt to change the password: > > Aug 7 16:59:19 mactestvm.mtl.dd.net SecurityAgent[271]: *** WARNING: > -[NSImage compositeToPoint:operation:fraction:] is deprecated in MacOSX 10.8 > and later. Please use -[NSImage drawAtPoint:fromRect:operation:fraction:] > instead. > Aug 7 16:59:19 mactestvm.mtl.dd.net SecurityAgent[271]: *** WARNING: > -[NSImage compositeToPoint:fromRect:operation:fraction:] is deprecated in > MacOSX 10.8 and later. Please use -[NSImage > drawAtPoint:fromRect:operation:fraction:] instead. > Aug 7 16:59:26 mactestvm.mtl.dd.net SecurityAgent[271]: User info context > values set for testuser2 > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Got user: testuser2 > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Got ruser: (null) > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Got service: authorization > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Context initialised > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Stashing kcm credentials in enviroment for kcminit: > testuser2 > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Got user: testuser2 > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Got ruser: (null) > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Got service: authorization > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Context initialised > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Created principal: testuser2 > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Done krb5_parse_name() > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Got principal: testus...@dd.net > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Got password > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Done getpwnam() > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Attempting to get forwardable TGT. > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: > krb5_sendto_context is called on main thread, its a blocking api > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Attempting to get non-forwardable TGT. > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Kerberos 5 error > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Error krb5_get_init_creds_password(): Password has > expired > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Done cleanup2 > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Done cleanup3 > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): Kerberos 5 refuses you This is where it should behave differently. It should treat this not as a failure but prompt for password change when such error is returned. I would check OSX forums on how to enable password change in UI
> Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): pam_sm_authenticate: ntlm > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_authenticate(): OpenDirectory - The authtok is expired or requires > updating. > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800. > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in > pam_sm_acct_mgmt(): OpenDirectory - Password expired. > Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: Failed to > authenticate user <testuser2> (error: 10). > Aug 7 16:59:43 mactestvm.mtl.dd.net WindowServer[97]: 3891612: App > SecurityAgent cannot order in untagged windows before login. > Aug 7 16:59:43 mactestvm.mtl.dd.net SecurityAgent[271]: CGSOrderWindowList > > Does this rings a bell? > > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users