subject:"\[Freeipa\-users\] freeipa authentication token manipulation error"

Re: [Freeipa-users] freeipa authentication token manipulation error

2015-01-13 Thread Rakesh Rajasekharan

Thanks, that worked.. users now able to get the password changed with any
issues...

Will do few more testing on this but at this point looks like that was the
issue

~Rakesh

On Tue, Jan 13, 2015 at 1:52 PM, Sumit Bose  wrote:

> On Tue, Jan 13, 2015 at 12:48:18PM +0530, Rakesh Rajasekharan wrote:
> > >>>Does it work for the same user from the client  if you reset password
> on
> > the server, authenticate from the client and then force reset again on
> the
> > server?
> > When I force reset a user, he stil faces the same error "token
> > manipulation" when tries to login to a client. However, when he tries
> > getting into the server, he now gets prompted for the password change and
> > is successfully able to get through.
> >
> > So, at this point we have a workaround though something seems not right
> at
> > the clients.
> > >>>Can you add a new client and see whether it works there?
> >
> > >>Have you tried re-installing the client?
> > Yes, I did try reinstalling but that did not help
> >
> >
> > >>>Sorry, I meant the full krb5_child.log ...
> >
> > This is how I get the logs in krb5_child.
> >
> > when a user tries to authenticate with the random password that I
> generated,
> >
> > WARNING: Your password has expired.
> > You must change your password now and login again!
> > Changing password for user hq-testuser.
> > Current Password:
> > New password:
> > Retype new password:
> > passwd: Authentication token manipulation erro
> >
> > And on the krb5_child.log, these are the entries
> >
> > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [unpack_buffer]
> > (0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab:
> > [/etc/krb5.keytab]
> > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004
> > [set_lifetime_options] (0x0100): Cannot read
> [SSSD_KRB5_RENEWABLE_LIFETIME]
> > from environment.
> > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004
> > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> > environment.
> > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004
> > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
> [true]
> > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [k5c_setup_fast]
> > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
> > qa-dummy-int.test@test.com]
> > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [match_principal]
> > (0x1000): Principal matched to the sample (host/
> > qa-dummy-int.test@test.com).
> > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004
> [check_fast_ccache]
> > (0x0200): FAST TGT is still valid.
> > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [main] (0x0400):
> > Will perform password change
> > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [changepw_child]
> > (0x1000): Password change operation
> > (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [changepw_child]
> > (0x0400): Attempting kinit for realm [TEST.COM]
> >
> >
> > This does not go beyond this. however, when i attempt another login  ,
> the
> > logs start moving from this point( the time stamp start from 6:54 AM)
> >
> > WARNING: Your password has expired.
> > You must change your password now and login again!
> > Changing password for user hq-testuser.
> > Current Password:
> > New password:
> > Retype new password:
> > passwd: Authentication token manipulation erro
> >
> > now the krb5_child.log adds following lines
> >
> > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [main] (0x0400):
> > krb5_child started.
> > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [unpack_buffer]
> > (0x1000): total buffer size: [134]TEST
> > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [unpack_buffer]
> > (0x0100): cmd [241] uid [71061] gid [71061] validate [true]
> > enterprise principal [false] offline [false] UPN [hq-testu...@test.com]
> > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [unpack_buffer]
> > (0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab:
> > [/etc/krb5.keytab]
> > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514
> > [set_lifetime_options] (0x0100): Cannot read
> [SSSD_KRB5_RENEWABLE_LIFETIME]
> > from environment.
> > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514
> > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> > environment.
> > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514
> > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
> [true]
> > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [k5c_setup_fast]
> > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
> > qa-dummy-int.test@test.com]
> > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [match_principal]
> > (0x1000): Principal matched to the sample (host/
> > qa-dummy-int.test@test.com).
> > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514
> [check_fast_ccache]
> > (0x0200): FAST TGT is still valid.
> > (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514

Re: [Freeipa-users] freeipa authentication token manipulation error

2015-01-13 Thread Sumit Bose

On Tue, Jan 13, 2015 at 12:48:18PM +0530, Rakesh Rajasekharan wrote:
> >>>Does it work for the same user from the client  if you reset password on
> the server, authenticate from the client and then force reset again on the
> server?
> When I force reset a user, he stil faces the same error "token
> manipulation" when tries to login to a client. However, when he tries
> getting into the server, he now gets prompted for the password change and
> is successfully able to get through.
> 
> So, at this point we have a workaround though something seems not right at
> the clients.
> >>>Can you add a new client and see whether it works there?
> 
> >>Have you tried re-installing the client?
> Yes, I did try reinstalling but that did not help
> 
> 
> >>>Sorry, I meant the full krb5_child.log ...
> 
> This is how I get the logs in krb5_child.
> 
> when a user tries to authenticate with the random password that I generated,
> 
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user hq-testuser.
> Current Password:
> New password:
> Retype new password:
> passwd: Authentication token manipulation erro
> 
> And on the krb5_child.log, these are the entries
> 
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [unpack_buffer]
> (0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab:
> [/etc/krb5.keytab]
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
> qa-dummy-int.test@test.com]
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [match_principal]
> (0x1000): Principal matched to the sample (host/
> qa-dummy-int.test@test.com).
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [check_fast_ccache]
> (0x0200): FAST TGT is still valid.
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [main] (0x0400):
> Will perform password change
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [changepw_child]
> (0x1000): Password change operation
> (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [changepw_child]
> (0x0400): Attempting kinit for realm [TEST.COM]
> 
> 
> This does not go beyond this. however, when i attempt another login  , the
> logs start moving from this point( the time stamp start from 6:54 AM)
> 
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user hq-testuser.
> Current Password:
> New password:
> Retype new password:
> passwd: Authentication token manipulation erro
> 
> now the krb5_child.log adds following lines
> 
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [main] (0x0400):
> krb5_child started.
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [unpack_buffer]
> (0x1000): total buffer size: [134]TEST
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [unpack_buffer]
> (0x0100): cmd [241] uid [71061] gid [71061] validate [true]
> enterprise principal [false] offline [false] UPN [hq-testu...@test.com]
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [unpack_buffer]
> (0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab:
> [/etc/krb5.keytab]
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
> qa-dummy-int.test@test.com]
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [match_principal]
> (0x1000): Principal matched to the sample (host/
> qa-dummy-int.test@test.com).
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [check_fast_ccache]
> (0x0200): FAST TGT is still valid.
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [main] (0x0400):
> Will perform online auth
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [tgt_req_child]
> (0x1000): Attempting to get a TGT
> (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [TEST.COM]
> (Tue Jan 13 06:54:53 2015) [[sssd[krb5_child[23514 [get_and_save_tgt]
> (0x0020): 981: [-1765328361][Password has expired]
> (Tue Jan 13 06:54:53 2015)

Re: [Freeipa-users] freeipa authentication token manipulation error

2015-01-13 Thread Lukas Slebodnik

On (13/01/15 12:48), Rakesh Rajasekharan wrote:
>This is how I get the logs in krb5_child.
>
>when a user tries to authenticate with the random password that I generated,
>
>WARNING: Your password has expired.
>You must change your password now and login again!
>Changing password for user hq-testuser.
>Current Password:
>New password:
>Retype new password:
>passwd: Authentication token manipulation erro
>
>And on the krb5_child.log, these are the entries
>
>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [unpack_buffer]
>(0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab:
>[/etc/krb5.keytab]
>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004
>[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
>from environment.
>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004
>[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
>environment.
>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004
>[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [k5c_setup_fast]
>(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
>qa-dummy-int.test@test.com]
>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [match_principal]
>(0x1000): Principal matched to the sample (host/
>qa-dummy-int.test@test.com).
>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [check_fast_ccache]
>(0x0200): FAST TGT is still valid.
>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [main] (0x0400):
>Will perform password change
>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [changepw_child]
>(0x1000): Password change operation
>(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [changepw_child]
>(0x0400): Attempting kinit for realm [TEST.COM]
>
I would expect at least next line:
   "Received error code"

Are you sure there is no crash?
Could you look into /var/log/messages?

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa authentication token manipulation error

2015-01-12 Thread Rakesh Rajasekharan

>>>Does it work for the same user from the client  if you reset password on
the server, authenticate from the client and then force reset again on the
server?
When I force reset a user, he stil faces the same error "token
manipulation" when tries to login to a client. However, when he tries
getting into the server, he now gets prompted for the password change and
is successfully able to get through.

So, at this point we have a workaround though something seems not right at
the clients.
>>>Can you add a new client and see whether it works there?

>>Have you tried re-installing the client?
Yes, I did try reinstalling but that did not help


>>>Sorry, I meant the full krb5_child.log ...

This is how I get the logs in krb5_child.

when a user tries to authenticate with the random password that I generated,

WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user hq-testuser.
Current Password:
New password:
Retype new password:
passwd: Authentication token manipulation erro

And on the krb5_child.log, these are the entries

(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab:
[/etc/krb5.keytab]
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
qa-dummy-int.test@test.com]
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [match_principal]
(0x1000): Principal matched to the sample (host/
qa-dummy-int.test@test.com).
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [check_fast_ccache]
(0x0200): FAST TGT is still valid.
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [main] (0x0400):
Will perform password change
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [changepw_child]
(0x1000): Password change operation
(Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [changepw_child]
(0x0400): Attempting kinit for realm [TEST.COM]


This does not go beyond this. however, when i attempt another login  , the
logs start moving from this point( the time stamp start from 6:54 AM)

WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user hq-testuser.
Current Password:
New password:
Retype new password:
passwd: Authentication token manipulation erro

now the krb5_child.log adds following lines

(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [main] (0x0400):
krb5_child started.
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [unpack_buffer]
(0x1000): total buffer size: [134]TEST
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [unpack_buffer]
(0x0100): cmd [241] uid [71061] gid [71061] validate [true]
enterprise principal [false] offline [false] UPN [hq-testu...@test.com]
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab:
[/etc/krb5.keytab]
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
qa-dummy-int.test@test.com]
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [match_principal]
(0x1000): Principal matched to the sample (host/
qa-dummy-int.test@test.com).
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [check_fast_ccache]
(0x0200): FAST TGT is still valid.
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [main] (0x0400):
Will perform online auth
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [tgt_req_child]
(0x1000): Attempting to get a TGT
(Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [get_and_save_tgt]
(0x0400): Attempting kinit for realm [TEST.COM]
(Tue Jan 13 06:54:53 2015) [[sssd[krb5_child[23514 [get_and_save_tgt]
(0x0020): 981: [-1765328361][Password has expired]
(Tue Jan 13 06:54:53 2015) [[sssd[krb5_child[23514 [tgt_req_child]
(0x1000): Password was expired
(Tue Jan 13 06:54:56 2015) [[sssd[krb5_child[23514 [k5c_send_data]
(0x0200): Received error code 1432158213
(Tue Jan 13 06:54:56 2015) [[sssd[krb5_child[23514 [main] (0x0400):
krb5_child completed su

Re: [Freeipa-users] freeipa authentication token manipulation error

2015-01-12 Thread Dmitri Pal


On 01/12/2015 12:55 PM, Rakesh Rajasekharan wrote:

This is the full log,

Jan 12 17:45:15 10-5-68-5 sshd[29753]: pam_sss(sshd:account): User 
info message: Password expired. Change your password now.
Jan 12 17:45:15 10-5-68-5 sshd[29753]: Accepted password for 
hq-testuser from 10.5.68.184 port 54048 ssh2
Jan 12 17:45:16 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session 
opened for user hq-testuser by (uid=0)
Jan 12 17:45:16 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user 
"hq-testuser" does not exist in /etc/passwd
Jan 12 17:45:35 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user 
"hq-testuser" does not exist in /etc/passwd
Jan 12 17:45:41 10-5-68-5 passwd: pam_sss(passwd:chauthtok): Password 
change failed for user hq-testuser: 22 (Authentication token lock busy)
Jan 12 17:45:43 10-5-68-5 sshd[30329]: Received disconnect from 
10.5.68.184 : 11: disconnected by user
Jan 12 17:45:43 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session 
closed for user hq-testuser



>> Does it happen for all users or only users that you migrated?
Yes it happens for all, I created a new user ( hq-testuser) is  a 
fresh one that I created.


I found a workaround for this , users are able to successfully change 
the password by connecting to the IPA master server.

So, its only  the ipa clients that have the issue.


Does it work for the same user from the client  if you reset password on 
the server, authenticate from the client and then force reset again on 
the server?


Can you add a new client and see whether it works there?
Have you tried re-installing the client?




Thanks,
Rakesh

On Mon, Jan 12, 2015 at 10:57 PM, Jakub Hrozek > wrote:


On Mon, Jan 12, 2015 at 04:01:32PM +0530, Rakesh Rajasekharan wrote:
> under /var/log/secure.. have this error
> passwd: pam_sss(passwd:chauthtok): Password change failed for user
> hq-testuser: 22 (Authentication token lock busy)

It looks like the log was trucated, can you post more context?

Authentication token lock busy usually means the kadmin servers were
offline..

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project







--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa authentication token manipulation error

2015-01-12 Thread Jakub Hrozek

On Mon, Jan 12, 2015 at 11:25:16PM +0530, Rakesh Rajasekharan wrote:
> This is the full log,

Sorry, I meant the full krb5_child.log ...

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa authentication token manipulation error

2015-01-12 Thread Rakesh Rajasekharan

This is the full log,

Jan 12 17:45:15 10-5-68-5 sshd[29753]: pam_sss(sshd:account): User info
message: Password expired. Change your password now.
Jan 12 17:45:15 10-5-68-5 sshd[29753]: Accepted password for hq-testuser
from 10.5.68.184 port 54048 ssh2
Jan 12 17:45:16 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session
opened for user hq-testuser by (uid=0)
Jan 12 17:45:16 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user
"hq-testuser" does not exist in /etc/passwd
Jan 12 17:45:35 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user
"hq-testuser" does not exist in /etc/passwd
Jan 12 17:45:41 10-5-68-5 passwd: pam_sss(passwd:chauthtok): Password
change failed for user hq-testuser: 22 (Authentication token lock busy)
Jan 12 17:45:43 10-5-68-5 sshd[30329]: Received disconnect from 10.5.68.184:
11: disconnected by user
Jan 12 17:45:43 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session
closed for user hq-testuser


>> Does it happen for all users or only users that you migrated?
Yes it happens for all, I created a new user ( hq-testuser) is  a fresh one
that I created.

I found a workaround for this , users are able to successfully change the
password by connecting to the IPA master server.
So, its only  the ipa clients that have the issue.


Thanks,
Rakesh

On Mon, Jan 12, 2015 at 10:57 PM, Jakub Hrozek  wrote:

> On Mon, Jan 12, 2015 at 04:01:32PM +0530, Rakesh Rajasekharan wrote:
> > under /var/log/secure.. have this error
> > passwd: pam_sss(passwd:chauthtok): Password change failed for user
> > hq-testuser: 22 (Authentication token lock busy)
>
> It looks like the log was trucated, can you post more context?
>
> Authentication token lock busy usually means the kadmin servers were
> offline..
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa authentication token manipulation error

2015-01-12 Thread Jakub Hrozek

On Mon, Jan 12, 2015 at 04:01:32PM +0530, Rakesh Rajasekharan wrote:
> under /var/log/secure.. have this error
> passwd: pam_sss(passwd:chauthtok): Password change failed for user
> hq-testuser: 22 (Authentication token lock busy)

It looks like the log was trucated, can you post more context?

Authentication token lock busy usually means the kadmin servers were
offline..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa authentication token manipulation error

2015-01-12 Thread Dmitri Pal


On 01/11/2015 04:01 AM, Rakesh Rajasekharan wrote:

Hi,

I am having some issues with freeipa. Whenever  I change the password 
for any user,
He is not able to change the password. and he gets error 
"authentication token manipualtion error"


Changing password for user hq-testuser.
Current Password:
New password:
Retype new password:
passwd: Authentication token manipulation error


I was able to get this running on another environment not sure whats 
went wrong here.


I have migrated my exisitng users from openldap .



Does it happen for all users or only users that you migrated?

Can you create a new user and set a password for him?
If it does not work I suspect either something is wrong with either 
krb5.conf or global password policy on the server.


If it works for new users but not for migrated ones then compare the 
entries of such users using ldap command and see what is different.





Thanks,
Rakesh





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa authentication token manipulation error

2015-01-12 Thread Rakesh Rajasekharan

under /var/log/secure.. have this error
passwd: pam_sss(passwd:chauthtok): Password change failed for user
hq-testuser: 22 (Authentication token lock busy)

On Mon, Jan 12, 2015 at 3:25 PM, Rakesh Rajasekharan <
rakesh.rajasekha...@gmail.com> wrote:

> This is what I get now a=in the krb5_child.log after setting the
> debug_level
>
> Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [unpack_buffer]
> (0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab:
> [/etc/krb5.keytab]
> (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
> qa-dummy-int.test@test.com)]
> (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [match_principal]
> (0x1000): Principal matched to the sample (host/
> qa-dummy-int.test@test.com).
> (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [check_fast_ccache]
> (0x0200): FAST TGT is still valid.
> (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [main] (0x0400):
> Will perform password change
> (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [changepw_child]
> (0x1000): Password change operation
> (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [changepw_child]
> (0x0400): Attempting kinit for realm [TEST.COM]
>
>
>
> On Mon, Jan 12, 2015 at 2:31 PM, Lukas Slebodnik 
> wrote:
>
>> On (12/01/15 14:12), Rakesh Rajasekharan wrote:
>> >The sssd version is 1.11.6
>> >
>> >The password does not get changed, whatever password gets generated by
>> ipa
>> >user-mod --random stays valid even after attempting the change.
>> >
>> >krb5_child.log does not have any contents.
>> The logging in sssd is dibsabled by default. You need to increase level of
>> verbosity.
>>
>> Put debug_level = 7 into domain section and restart sssd.
>> It is also possible to change debug level on the fly with comand line
>> utility
>> sss_debuglevel (part of pacakge sssd-tools)
>>
>> LS
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa authentication token manipulation error

2015-01-12 Thread Rakesh Rajasekharan

This is what I get now a=in the krb5_child.log after setting the debug_level

Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab:
[/etc/krb5.keytab]
(Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
(Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
qa-dummy-int.test@test.com)]
(Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [match_principal]
(0x1000): Principal matched to the sample (host/
qa-dummy-int.test@test.com).
(Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [check_fast_ccache]
(0x0200): FAST TGT is still valid.
(Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [main] (0x0400):
Will perform password change
(Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [changepw_child]
(0x1000): Password change operation
(Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [changepw_child]
(0x0400): Attempting kinit for realm [TEST.COM]



On Mon, Jan 12, 2015 at 2:31 PM, Lukas Slebodnik 
wrote:

> On (12/01/15 14:12), Rakesh Rajasekharan wrote:
> >The sssd version is 1.11.6
> >
> >The password does not get changed, whatever password gets generated by ipa
> >user-mod --random stays valid even after attempting the change.
> >
> >krb5_child.log does not have any contents.
> The logging in sssd is dibsabled by default. You need to increase level of
> verbosity.
>
> Put debug_level = 7 into domain section and restart sssd.
> It is also possible to change debug level on the fly with comand line
> utility
> sss_debuglevel (part of pacakge sssd-tools)
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa authentication token manipulation error

2015-01-12 Thread Lukas Slebodnik

On (12/01/15 14:12), Rakesh Rajasekharan wrote:
>The sssd version is 1.11.6
>
>The password does not get changed, whatever password gets generated by ipa
>user-mod --random stays valid even after attempting the change.
>
>krb5_child.log does not have any contents.
The logging in sssd is dibsabled by default. You need to increase level of
verbosity.

Put debug_level = 7 into domain section and restart sssd.
It is also possible to change debug level on the fly with comand line utility
sss_debuglevel (part of pacakge sssd-tools)

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa authentication token manipulation error

2015-01-12 Thread Rakesh Rajasekharan

The sssd version is 1.11.6

The password does not get changed, whatever password gets generated by ipa
user-mod --random stays valid even after attempting the change.

krb5_child.log does not have any contents.

Thanks,
Rakesh

On Sun, Jan 11, 2015 at 9:01 PM, Jakub Hrozek  wrote:

> On Sun, Jan 11, 2015 at 02:31:26PM +0530, Rakesh Rajasekharan wrote:
> > Hi,
> >
> > I am having some issues with freeipa. Whenever  I change the password for
> > any user,
> > He is not able to change the password. and he gets error "authentication
> > token manipualtion error"
> >
> > Changing password for user hq-testuser.
> > Current Password:
> > New password:
> > Retype new password:
> > passwd: Authentication token manipulation error
> >
> >
> > I was able to get this running on another environment not sure whats went
> > wrong here.
> >
> > I have migrated my exisitng users from openldap .
> >
> > Thanks,
> > Rakesh
>
> What is the sssd version?
>
> Is the password changed despite the error (you can test with kinit and
> either the new or the old password) ?
>
> Increasing sssd log verbosity and checking krb5_child.log might help,
> too.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa authentication token manipulation error

2015-01-11 Thread Jakub Hrozek

On Sun, Jan 11, 2015 at 02:31:26PM +0530, Rakesh Rajasekharan wrote:
> Hi,
> 
> I am having some issues with freeipa. Whenever  I change the password for
> any user,
> He is not able to change the password. and he gets error "authentication
> token manipualtion error"
> 
> Changing password for user hq-testuser.
> Current Password:
> New password:
> Retype new password:
> passwd: Authentication token manipulation error
> 
> 
> I was able to get this running on another environment not sure whats went
> wrong here.
> 
> I have migrated my exisitng users from openldap .
> 
> Thanks,
> Rakesh

What is the sssd version?

Is the password changed despite the error (you can test with kinit and
either the new or the old password) ?

Increasing sssd log verbosity and checking krb5_child.log might help,
too.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] freeipa authentication token manipulation error

2015-01-11 Thread Rakesh Rajasekharan

Hi,

I am having some issues with freeipa. Whenever  I change the password for
any user,
He is not able to change the password. and he gets error "authentication
token manipualtion error"

Changing password for user hq-testuser.
Current Password:
New password:
Retype new password:
passwd: Authentication token manipulation error


I was able to get this running on another environment not sure whats went
wrong here.

I have migrated my exisitng users from openldap .

Thanks,
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa authentication token manipulation error

Re: [Freeipa-users] freeipa authentication token manipulation error

Re: [Freeipa-users] freeipa authentication token manipulation error

Re: [Freeipa-users] freeipa authentication token manipulation error

Re: [Freeipa-users] freeipa authentication token manipulation error

Re: [Freeipa-users] freeipa authentication token manipulation error

Re: [Freeipa-users] freeipa authentication token manipulation error

Re: [Freeipa-users] freeipa authentication token manipulation error

Re: [Freeipa-users] freeipa authentication token manipulation error

Re: [Freeipa-users] freeipa authentication token manipulation error

Re: [Freeipa-users] freeipa authentication token manipulation error

Re: [Freeipa-users] freeipa authentication token manipulation error

Re: [Freeipa-users] freeipa authentication token manipulation error

Re: [Freeipa-users] freeipa authentication token manipulation error

[Freeipa-users] freeipa authentication token manipulation error

15 matches

Site Navigation

Mail list logo

Footer information