IPA Problems

Latest response

Hi THis morning I was asked to reset the user password of one of our IPA/LDAP user accounts.

 

After I reset the password I tried to logon to a particular ssh machine .

The system asked to cheange the password as expeceted.

I entered the NEw Password and the Re enter the the new password after this the system answered with:

 

passwd: Authentication token manipulation error

 

 

So in order to test this situation I created a new account and I had the same problem with the new account.

I try also to reset another user password and I got the same problem.

 

It seems that I'm not be able to reset anybody user password.

 

Any ideas????

 

From the krb5kdc.log

I get : Nov 19 14:35:31 ldap.webdom.lifesci.ucla.edu krb5kdc[1610](info): AS_REQ (4 etypes {18 17 16 23}) 164.67.110.65: PREAUTH_FAILED: taccount@myserver.com for kadmin/changepw@myserver.com, Decrypt integrity check failed

 

from the /var/lib/dirsrv/slapd-server.com/errors file I get:

ipapwd_setPasswordHistory - [file ipapwd_common.c, line 926]: failed to generate new password history!
[19/Nov/2012:14:35:40 -0800] managed-entries-plugin - mep_mod_post_op: Unable to find config for origin entry "uid=taccount,cn=users,cn=accounts,dc=myserver,dc=com".

 

 

Any idea on what's going on?

 

Thank you

Marcello

 

MG
Log in to join the conversation

Responses

FJ Red Hat Expert 1059 points
19 November 2012 11:01 PM

 

Hi Marcello,

 

Are you able to login using the new password ?

 

Frank

MG Pro 581 points
19 November 2012 11:36 PM

Hi Frank,

 

No I'm not able to lo on with the new password unfortunatelly.

 

Marcello

KH Community Member 70 points
20 November 2012 12:20 AM

just currious.  check your logs for a change in time sync.  There was an issue with the navy.mil ntp servers today around 4:40 PM EST that caused a sync of clocks to change to the year 2000.    

MG Pro 581 points
20 November 2012 12:39 AM

No I don't see any issues with the time synch...

 

Marcello

MG Pro 581 points
20 November 2012 12:47 AM

I noticed a problem tough I tried to re create another user and after changing the password this is what I see from the kerberos logs

 

Nov 19 16:43:00 ldap.webdom.lifesci.ucla.edu krb5kdc[1625](info): AS_REQ (4 etypes {18 17 16 23}) 164.67.110.86: ISSUE: authtime 1353372180, etypes {rep=18 tkt=18 ses=18}, leelab@myserver.com for kadmin/changepw@myserver.com
Nov 19 16:43:00 ldap.webdom.lifesci.ucla.edu krb5kdc[1625](info): AS_REQ (4 etypes {18 17 16 23}) 164.67.110.86: CLIENT KEY EXPIRED: leelab@myserver.com for krbtgt/myserver.com@myserver.com, Password has expired
 

 

I just created the user leelab how can it be that the password is expired already?

Then I don't understand the line saying authtime 1353372180

 

Marcello

MG Pro 581 points
20 November 2012 12:56 AM

Actually I something in the krb5kdclog after I try to change the password

 

 

preauth (timestamp) verify failure: Decrypt integrity check failed

 

Marcello

MG Pro 581 points
20 November 2012 1:17 AM

Another thingh I noticed is that every user I create from now on it comes with password expiration:

 

krbpasswordexpiration = 19011216180532Z

 

 

This is why is failing how come the expiration date is set to this ancient date?

 

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.