Re: [Freeipa-users] Mountain Lion GUI Login (Expired passwords / Mavericks too)
On Thu, 13 Mar 2014 14:08:29 + Jason wrote: JW Now if I create a new user in IPA. It will require a password change on JW logon. JW JW When I logon on the Mac with this new user. The password box wiggles JW and a box appears underneath it. Reset your password. Saying I need JW to set a new password. So I enter a new password and I verify it. Then JW I click Reset Password and it wiggle... no matter how many times I JW try, it doesn't move on. I don't have OS X, but every time I create a new test user on linux and log in to test it, I get bit by the fact that the passwd change always asks for the existing password first, before asking for the new password. So I have to enter the original password once to login, once to make passwd happy, and then enter the new password. Are you sure the dialog box isn't asking for the existing password first? Robert -- Senior Software Engineer @ Parsons signature.asc Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Mountain Lion GUI Login (Expired passwords / Mavericks too)
Hi all, This has been raised previously, here: https://www.redhat.com/archives/freeipa-users/2013-August/msg00043.html I'm experiencing the same issue and I will summarise. Mac OS X (Mavericks in my case, but it was the same before I upgraded it from Mountain Lion.) Using RHEL 6.5 and ipa packages 3.0.0-37. Directory Utility is connected to IPA domain using the RFC2307 templates, slightly modified so that the Groups is based from cn=compat,dc=domain and Users from cn=accounts,dc=domain, and so NFSHomeDirectory and HomeDirectory are set to #/Users/$uid$. Reason for compat for groups is so membership works correctly (it needs memberUid format) and reason for accounts on Users is so all main info is available and regular change password works. Homes are set as such to keep everything local as I don't want networked home folders. Logons work great. Groups are all populated fully. Users can go to System Preferences - Users Groups - Change password and change password successfully. Home directories are kept local. Running the createmobileaccount manually allows an account to successfully be marked as mobile so credential cache works, even if the home directories are local (it seems the GUI won't do it properly, maybe because they're already local.) So far, fantastic. Now if I create a new user in IPA. It will require a password change on logon. When I logon on the Mac with this new user. The password box wiggles and a box appears underneath it. Reset your password. Saying I need to set a new password. So I enter a new password and I verify it. Then I click Reset Password and it wiggle... no matter how many times I try, it doesn't move on. The log I get is somewhat smaller as I've not yet added kerberos to the pam.d/authorization (shouldn't be required for this since regular change password works.) And possibly because less logging enabled but I'm not sure what to modify and how. 12:50:47 SecurityAgent: User info context values set for testuser 12:50:48 authorizationhost: Failed to authenticate user testuser (error: 10). Any thoughts on what the issue may be? Apple issue maybe or some incompatibility on the FreeIPA side? Are there any logs from anywhere on the IPA that might help? I can see no apparent issues in the slapd access log, it seems to return successful for various attributes and just stop and no change comes in for the password - it doesn't seem to even request the global_policy which it does when using regular Change password. Regards, Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mountain Lion GUI Login (Expired passwords / Mavericks too)
--Davis GoodmanDirecteur Informatique| IT Manager5605 Avenue de Gaspé, Suite 408 |Montréal,QCH2T 2A4Tél: +1 (514) 360-3253 x104 Cell: +1 (514) 994-7360 On Mar 13, 2014, at 10:29 , Robert Story rst...@tislabs.com wrote:On Thu, 13 Mar 2014 14:08:29 + Jason wrote:JW Now if I create a new user in IPA. It will require a password change onJW logon.JW JW When I logon on the Mac with this new user. The password box wigglesJW and a box appears underneath it. "Reset your password". Saying I needJW to set a new password. So I enter a new password and I verify it. ThenJW I click "Reset Password" and it wiggle... no matter how many times IJW try, it doesn't move on.I don't have OS X, but every time I create a new test user on linux and login to test it, I get bit by the fact that the passwd change always asks forthe existing password first, before asking for the new password. So I haveto enter the original password once to login, once to make passwd happy,and then enter the new password. Are you sure the dialog box isn't askingfor the existing password first?Robert--Senior Software Engineer @ Parsons___Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-usersWell I still haven’t had any responses since that time.I wish we could resolve this since it’s the only little bit remaining to have a full FreeIPA integration.BTW we also integrated sudo-ldap on our OSX machines. The only thing is that you have to upgrade the sudo packages with this one.sudo-1.8.9p3.pkgand then:installer -pkg /prod/sysadmin/darwin/software/sudo/sudo-1.8.9p3.pkg -target /mv /usr/bin/sudo /usr/bin/sudo.origln -s /usr/local/bin/sudo /usr/binthen you modify sudo-ldap and nsswitch.conf same thing as on the linux boxes.--Davis GoodmanDirecteur Informatique| IT Manager5605 Avenue de Gaspé, Suite 408 |Montréal,QCH2T 2A4Tél: +1 (514) 360-3253 x104 Cell: +1 (514) 994-7360___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mountain Lion GUI Login (Expired passwords / Mavericks too)
Hi I don't have OS X, but every time I create a new test user on linux and log in to test it, I get bit by the fact that the passwd change always asks for the existing password first, before asking for the new password. So I have to enter the original password once to login, once to make passwd happy, and then enter the new password. Are you sure the dialog box isn't asking for the existing password first? Robert -- Senior Software Engineer @ Parsons ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Well I still haven’t had any responses since that time. I wish we could resolve this since it’s the only little bit remaining to have a full FreeIPA integration. Yeh it's the only thing wrong for me. To answer Robert's question though - the reset password is a pop up with an arrow to the login and the original password is still there - so I would assume so. Guessing this is gonna need deeper investigation though but I suspect it's more on the Apple side :-( BTW we also integrated sudo-ldap on our OSX machines. The only thing is that you have to upgrade the sudo packages with this one. sudo-1.8.9p3.pkg and then: installer -pkg /prod/sysadmin/darwin/software/sudo/sudo-1.8.9p3.pkg -target / mv /usr/bin/sudo /usr/bin/sudo.orig ln -s /usr/local/bin/sudo /usr/bin then you modify sudo-ldap and nsswitch.conf same thing as on the linux boxes. -- Davis Goodman Directeur Informatique | IT Manager logo_dd_small.png 5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4 Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 Thanks for that! We've not got around to any sudo and not really needed but it's great to know it's certainly possible and fairly straightforward! Jason___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mountain Lion GUI Login
Hi Lynn, I just checked this in my lab setup: - Set up a new user on the FreeIPA server as 'ipatest'. - Logged in to a Linux client configured for FreeIPA, it prompted me to change my password. - Successfully changed my password for ipatest. Verified this on another machine. - Furthermore, I reset the Password Policy min lifetime to 0 and typed passwd on one of the ipa clients while logged in as ipatest. This worked without issue. I also have FreeIPA set up in the lab with a domain trust to a 2008 R2 AD server, so I checked to see if the results would be the same. - Logged in to FreeIPA client machine as the AD user. - Typed passwd, and successfully reset my password. Verified the change in Windows as well as another IPA client. All Linux systems in this test are running CentOS 6.4 x86_64 FreeIPA server is running ipa-server-3.0.0-26.el6_4.4.x86_64 FreeIPA clients are running ipa-client-3.0.0-26.el6_4.4.x86_64 AD Server is running Windows 2008 R2 This won't necessarily help with the OS X problem, but maybe it assists with how it's working on Linux. Thanks, Brian On Tue, Aug 6, 2013 at 8:25 PM, Lynn Root lr...@redhat.com wrote: On Aug 6, 2013, at 4:14 PM, KodaK sako...@gmail.com wrote: On Tue, Aug 6, 2013 at 4:31 PM, Davis Goodman davis.good...@digital-district.ca wrote: Hi, I have an FreeIPA server configured, managed to configure a Mountain Lion Client for automounts and user logins. My issue is that whenever I first login with a user the New Password box shows up and even if I try to change the password the box keeps reappearing without any success. If I log onto the machine with the local admin user and try to get a ticket for this user I get a New Password prompt. From there I can change the password and I get a ticket without an issue. After that I can login through the GUI without being asked for a new password. Anyone has seen this behaviour before? That's the expected behavior. When you set the user's password as an admin, it sets the force a password change flag. Correct me if I'm wrong, but it's not expect to *not* be able to change the password on an IPA client after the initial setup, and be forced to use the IPA Server to re-set the password. Granted, the client is OSX. However, I personally have experience the inability to change a new user's password on an IPA client, and only on the IPA Server. Unfortunately, I've been trying to reproduce this and I can not. I've tried on Fedora 19, and will try on RHEL next. Davis - Can you let me know your IPA Server and IPA Client versions? As well as the OS that the IPA Server is on? Also, out of curiosity, do you have directions on how you set up the client on Mac OSX? Thanks! Lynn Root Lynn Root @roguelynn Associate Software Engineer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mountain Lion GUI Login
Hi Brian, Lynn, As far as Linux client, this is not my issue for now, I believe the Linux setup is quite straight forward and the password change at first login seems to work without an issue. My main concern is on Mountain Lion 10.8.x, At this point I've managed to bind the OSX machine to the IPA server without any issue following this guide: http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 I also have all the autmounts configured via LDAP using this: https://ssl.apple.com/business/docs/Autofs.pdf on page 16. My main issue right now seems to be at the GUI login. The applet shows up for password change but doesn't seem to do anything. When I press continue the applet comes back and this goes in a loop until I hit Cancel. My IPA versions are as follows: ipa-admintools.x86_643.0.0-26.el6_4.4 ipa-client.x86_643.0.0-26.el6_4.4 ipa-gothic-fonts.noarch 003.02-4.2.el6 ipa-mincho-fonts.noarch 003.02-3.1.el6 ipa-pgothic-fonts.noarch 003.02-4.1.el6 ipa-pmincho-fonts.noarch 003.02-3.1.el6 ipa-python.x86_643.0.0-26.el6_4.4 ipa-server.x86_643.0.0-26.el6_4.4 ipa-server-selinux.x86_643.0.0-26.el6_4.4 ipa-server-trust-ad.x86_64 3.0.0-26.el6_4.4 As mentioned in my first post, if I make the password change at the terminal prompt, I am then able to login without a password change prompt. Not sure if I'll be able to go through this issue unless someone as already experienced this. Davis -- Davis Goodman Directeur Informatique | IT Manager 5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4 Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 On 2013-08-07, at 9:29 , Brian Lee brian_l...@jabil.com wrote: Hi Lynn, I just checked this in my lab setup: - Set up a new user on the FreeIPA server as 'ipatest'. - Logged in to a Linux client configured for FreeIPA, it prompted me to change my password. - Successfully changed my password for ipatest. Verified this on another machine. - Furthermore, I reset the Password Policy min lifetime to 0 and typed passwd on one of the ipa clients while logged in as ipatest. This worked without issue. I also have FreeIPA set up in the lab with a domain trust to a 2008 R2 AD server, so I checked to see if the results would be the same. - Logged in to FreeIPA client machine as the AD user. - Typed passwd, and successfully reset my password. Verified the change in Windows as well as another IPA client. All Linux systems in this test are running CentOS 6.4 x86_64 FreeIPA server is running ipa-server-3.0.0-26.el6_4.4.x86_64 FreeIPA clients are running ipa-client-3.0.0-26.el6_4.4.x86_64 AD Server is running Windows 2008 R2 This won't necessarily help with the OS X problem, but maybe it assists with how it's working on Linux. Thanks, Brian On Tue, Aug 6, 2013 at 8:25 PM, Lynn Root lr...@redhat.com wrote: On Aug 6, 2013, at 4:14 PM, KodaK sako...@gmail.com wrote: On Tue, Aug 6, 2013 at 4:31 PM, Davis Goodman davis.good...@digital-district.ca wrote: Hi, I have an FreeIPA server configured, managed to configure a Mountain Lion Client for automounts and user logins. My issue is that whenever I first login with a user the New Password box shows up and even if I try to change the password the box keeps reappearing without any success. If I log onto the machine with the local admin user and try to get a ticket for this user I get a New Password prompt. From there I can change the password and I get a ticket without an issue. After that I can login through the GUI without being asked for a new password. Anyone has seen this behaviour before? That's the expected behavior. When you set the user's password as an admin, it sets the force a password change flag. Correct me if I'm wrong, but it's not expect to *not* be able to change the password on an IPA client after the initial setup, and be forced to use the IPA Server to re-set the password. Granted, the client is OSX. However, I personally have experience the inability to change a new user's password on an IPA client, and only on the IPA Server. Unfortunately, I've been trying to reproduce this and I can not. I've tried on Fedora 19, and will try on RHEL next. Davis - Can you let me know your IPA Server and IPA Client versions? As well as the OS that the IPA Server is on? Also, out of curiosity, do you have directions on how you set up the client on Mac OSX? Thanks! Lynn Root Lynn Root @roguelynn Associate Software Engineer ___ Freeipa-users mailing list
Re: [Freeipa-users] Mountain Lion GUI Login
Davis Goodman wrote: Hi Brian, Lynn, As far as Linux client, this is not my issue for now, I believe the Linux setup is quite straight forward and the password change at first login seems to work without an issue. My main concern is on Mountain Lion 10.8.x, At this point I've managed to bind the OSX machine to the IPA server without any issue following this guide: http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 I also have all the autmounts configured via LDAP using this: https://ssl.apple.com/business/docs/Autofs.pdf on page 16. My main issue right now seems to be at the GUI login. The applet shows up for password change but doesn't seem to do anything. When I press continue the applet comes back and this goes in a loop until I hit Cancel. My IPA versions are as follows: ipa-admintools.x86_643.0.0-26.el6_4.4 ipa-client.x86_643.0.0-26.el6_4.4 ipa-gothic-fonts.noarch 003.02-4.2.el6 ipa-mincho-fonts.noarch 003.02-3.1.el6 ipa-pgothic-fonts.noarch 003.02-4.1.el6 ipa-pmincho-fonts.noarch 003.02-3.1.el6 ipa-python.x86_643.0.0-26.el6_4.4 ipa-server.x86_643.0.0-26.el6_4.4 ipa-server-selinux.x86_643.0.0-26.el6_4.4 ipa-server-trust-ad.x86_64 3.0.0-26.el6_4.4 As mentioned in my first post, if I make the password change at the terminal prompt, I am then able to login without a password change prompt. Not sure if I'll be able to go through this issue unless someone as already experienced this. Davis What browser are you using? Have you tried the GUI with a new user from a Linux client? I'm thinking this is a browser issue rather than something with OSX as the majority of the work is done on the server. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mountain Lion GUI Login
On 08/07/2013 10:27 AM, Davis Goodman wrote: When I mention GUI I'm talking about the Mac OSX Login screen not through a browser -- Davis Goodman Directeur Informatique | IT Manager Digital-District http://www.digital-district.ca/ 5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4 Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 On 2013-08-07, at 10:07 , Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Davis Goodman wrote: Hi Brian, Lynn, As far as Linux client, this is not my issue for now, I believe the Linux setup is quite straight forward and the password change at first login seems to work without an issue. My main concern is on Mountain Lion 10.8.x, At this point I've managed to bind the OSX machine to the IPA server without any issue following this guide: http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 I also have all the autmounts configured via LDAP using this: https://ssl.apple.com/business/docs/Autofs.pdf on page 16. My main issue right now seems to be at the GUI login. The applet shows up for password change but doesn't seem to do anything. When I press continue the applet comes back and this goes in a loop until I hit Cancel. My IPA versions are as follows: ipa-admintools.x86_643.0.0-26.el6_4.4 ipa-client.x86_643.0.0-26.el6_4.4 ipa-gothic-fonts.noarch 003.02-4.2.el6 ipa-mincho-fonts.noarch 003.02-3.1.el6 ipa-pgothic-fonts.noarch 003.02-4.1.el6 ipa-pmincho-fonts.noarch 003.02-3.1.el6 ipa-python.x86_643.0.0-26.el6_4.4 ipa-server.x86_643.0.0-26.el6_4.4 ipa-server-selinux.x86_643.0.0-26.el6_4.4 ipa-server-trust-ad.x86_64 3.0.0-26.el6_4.4 As mentioned in my first post, if I make the password change at the terminal prompt, I am then able to login without a password change prompt. Not sure if I'll be able to go through this issue unless someone as already experienced this. Davis What browser are you using? Have you tried the GUI with a new user from a Linux client? I'm thinking this is a browser issue rather than something with OSX as the majority of the work is done on the server. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Not an expert on OSX. I wonder whether the UI prompt supports password change workflow. May be it does but needs to be explicitly enabled? There should be some logs on the OSX that would indicate what is going on when the server responds with the password change prompt. I would suggest starting troubleshooting efforts there. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mountain Lion GUI Login
This is basically the log when I attempt to change the password: Aug 7 16:59:19 mactestvm.mtl.dd.net SecurityAgent[271]: *** WARNING: -[NSImage compositeToPoint:operation:fraction:] is deprecated in MacOSX 10.8 and later. Please use -[NSImage drawAtPoint:fromRect:operation:fraction:] instead. Aug 7 16:59:19 mactestvm.mtl.dd.net SecurityAgent[271]: *** WARNING: -[NSImage compositeToPoint:fromRect:operation:fraction:] is deprecated in MacOSX 10.8 and later. Please use -[NSImage drawAtPoint:fromRect:operation:fraction:] instead. Aug 7 16:59:26 mactestvm.mtl.dd.net SecurityAgent[271]: User info context values set for testuser2 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got user: testuser2 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got ruser: (null) Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got service: authorization Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Context initialised Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Stashing kcm credentials in enviroment for kcminit: testuser2 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got user: testuser2 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got ruser: (null) Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got service: authorization Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Context initialised Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Created principal: testuser2 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done krb5_parse_name() Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got principal: testus...@dd.net Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got password Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done getpwnam() Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Attempting to get forwardable TGT. Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: krb5_sendto_context is called on main thread, its a blocking api Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Attempting to get non-forwardable TGT. Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Kerberos 5 error Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Error krb5_get_init_creds_password(): Password has expired Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done cleanup2 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done cleanup3 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Kerberos 5 refuses you Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): pam_sm_authenticate: ntlm Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): OpenDirectory - The authtok is expired or requires updating. Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800. Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_acct_mgmt(): OpenDirectory - Password expired. Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: Failed to authenticate user testuser2 (error: 10). Aug 7 16:59:43 mactestvm.mtl.dd.net WindowServer[97]: 3891612: App SecurityAgent cannot order in untagged windows before login. Aug 7 16:59:43 mactestvm.mtl.dd.net SecurityAgent[271]: CGSOrderWindowList Does this rings a bell? -- Davis Goodman Directeur Informatique | IT Manager 5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4 Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 On 2013-08-07, at 15:41 , Dmitri Pal d...@redhat.com wrote: On 08/07/2013 10:27 AM, Davis Goodman wrote: When I mention GUI I'm talking about the Mac OSX Login screen not through a browser -- Davis Goodman Directeur Informatique | IT Manager 5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4 Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 On 2013-08-07, at 10:07 , Rob Crittenden rcrit...@redhat.com wrote: Davis Goodman wrote: Hi Brian, Lynn, As far as Linux client, this is not my issue for now, I believe the Linux setup is quite straight forward and the password change at first login seems to work without an issue. My main concern is on Mountain Lion 10.8.x, At this point I've managed to bind the OSX machine
Re: [Freeipa-users] Mountain Lion GUI Login
On 08/07/2013 05:33 PM, Davis Goodman wrote: This is basically the log when I attempt to change the password: Aug 7 16:59:19 mactestvm.mtl.dd.net SecurityAgent[271]: *** WARNING: -[NSImage compositeToPoint:operation:fraction:] is deprecated in MacOSX 10.8 and later. Please use -[NSImage drawAtPoint:fromRect:operation:fraction:] instead. Aug 7 16:59:19 mactestvm.mtl.dd.net SecurityAgent[271]: *** WARNING: -[NSImage compositeToPoint:fromRect:operation:fraction:] is deprecated in MacOSX 10.8 and later. Please use -[NSImage drawAtPoint:fromRect:operation:fraction:] instead. Aug 7 16:59:26 mactestvm.mtl.dd.net SecurityAgent[271]: User info context values set for testuser2 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got user: testuser2 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got ruser: (null) Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got service: authorization Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Context initialised Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Stashing kcm credentials in enviroment for kcminit: testuser2 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got user: testuser2 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got ruser: (null) Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got service: authorization Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Context initialised Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Created principal: testuser2 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done krb5_parse_name() Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got principal: testus...@dd.net Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got password Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done getpwnam() Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Attempting to get forwardable TGT. Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: krb5_sendto_context is called on main thread, its a blocking api Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Attempting to get non-forwardable TGT. Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Kerberos 5 error Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Error krb5_get_init_creds_password(): Password has expired Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done cleanup2 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done cleanup3 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Kerberos 5 refuses you This is where it should behave differently. It should treat this not as a failure but prompt for password change when such error is returned. I would check OSX forums on how to enable password change in UI Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): pam_sm_authenticate: ntlm Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): OpenDirectory - The authtok is expired or requires updating. Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800. Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_acct_mgmt(): OpenDirectory - Password expired. Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: Failed to authenticate user testuser2 (error: 10). Aug 7 16:59:43 mactestvm.mtl.dd.net WindowServer[97]: 3891612: App SecurityAgent cannot order in untagged windows before login. Aug 7 16:59:43 mactestvm.mtl.dd.net SecurityAgent[271]: CGSOrderWindowList Does this rings a bell? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Mountain Lion GUI Login
Hi, I have an FreeIPA server configured, managed to configure a Mountain Lion Client for automounts and user logins. My issue is that whenever I first login with a user the New Password box shows up and even if I try to change the password the box keeps reappearing without any success. If I log onto the machine with the local admin user and try to get a ticket for this user I get a New Password prompt. From there I can change the password and I get a ticket without an issue. After that I can login through the GUI without being asked for a new password. Anyone has seen this behaviour before? -- Davis Goodman Directeur Informatique | IT Manager 5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4 Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mountain Lion GUI Login
On Tue, Aug 6, 2013 at 4:31 PM, Davis Goodman davis.good...@digital-district.ca wrote: Hi, I have an FreeIPA server configured, managed to configure a Mountain Lion Client for automounts and user logins. My issue is that whenever I first login with a user the New Password box shows up and even if I try to change the password the box keeps reappearing without any success. If I log onto the machine with the local admin user and try to get a ticket for this user I get a New Password prompt. From there I can change the password and I get a ticket without an issue. After that I can login through the GUI without being asked for a new password. Anyone has seen this behaviour before? That's the expected behavior. When you set the user's password as an admin, it sets the force a password change flag. I don't know anything aobut OSX, but there may be a way to configure the login GUI to deal with the password change correctly. Failing that, you can use a web based password change utility and let users do self service, or if you don't want that you can set up a special password administrator you can use that when it sets passwords it doesn't force a change (bad idea.) For setting up either, you need to do this: http://www.freeipa.org/page/PasswordSynchronization for the password change user. This is the web based password change utility I chose to use, but there are others -- or you can roll your own: http://ltb-project.org/wiki/documentation/self-service-password --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mountain Lion GUI Login
On Aug 6, 2013, at 4:14 PM, KodaK sako...@gmail.com wrote: On Tue, Aug 6, 2013 at 4:31 PM, Davis Goodman davis.good...@digital-district.ca wrote: Hi, I have an FreeIPA server configured, managed to configure a Mountain Lion Client for automounts and user logins. My issue is that whenever I first login with a user the New Password box shows up and even if I try to change the password the box keeps reappearing without any success. If I log onto the machine with the local admin user and try to get a ticket for this user I get a New Password prompt. From there I can change the password and I get a ticket without an issue. After that I can login through the GUI without being asked for a new password. Anyone has seen this behaviour before? That's the expected behavior. When you set the user's password as an admin, it sets the force a password change flag. Correct me if I'm wrong, but it's not expect to *not* be able to change the password on an IPA client after the initial setup, and be forced to use the IPA Server to re-set the password. Granted, the client is OSX. However, I personally have experience the inability to change a new user's password on an IPA client, and only on the IPA Server. Unfortunately, I've been trying to reproduce this and I can not. I've tried on Fedora 19, and will try on RHEL next. Davis - Can you let me know your IPA Server and IPA Client versions? As well as the OS that the IPA Server is on? Also, out of curiosity, do you have directions on how you set up the client on Mac OSX? Thanks! Lynn Root Lynn Root @roguelynn Associate Software Engineer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users