The subject line here is slightly vague/misleading, I wasn't sure how to say
this in 20 words or less. I have a cluster where we have 6 "admin" users who
are the only humans logging into the freeipa webui. When these users'
passwords expire or are manually reset, they are unable to change the
passwords, receiving the error "The password or username you entered is
incorrect" on the password reset page during login.
These users have OTP tokens, and are set to "Password & OTP" for the login
method. We have tested with OTP Tokens disabled, and adding just "Password" to
the login methods.
If we reset the password, and then manually set "krbPasswordExpiration" to
sometime in the future using ipa user-mod, users can login, and then change
their passwords from within the UI itself, it appears to only be the change
password on login flow that is causing problems.
FreeIPA version: 4.12.2-14.el9.noarch
Snippet of httpd error log:
[Wed Jun 04 10:48:37.846536 2025] [wsgi:error] [pid 2246312:tid 2246543]
[remote some_ip_address_here:60648]
[Wed Jun 04 10:49:08.336028 2025] [wsgi:error] [pid 2246314:tid 2246540]
[remote some_ip_address_here:60651] ipa: INFO: WSGI change_password.__call__:
[Wed Jun 04 10:49:08.336201 2025] [wsgi:error] [pid 2246314:tid 2246540]
[remote some_ip_address_here:60651] ipa: INFO: WSGI change_password: start
password change of user 'admin-username'
[Wed Jun 04 10:49:08.434192 2025] [wsgi:error] [pid 2246314:tid 2246540]
[remote some_ip_address_here:60651] ipa: INFO: 200 Success: The old password or
username is not correct.
[Wed Jun 04 11:35:55.156892 2025] [wsgi:error] [pid 2246313:tid 2246537]
[remote some_ip_address_here:61518] ipa: INFO: 401 Unauthorized: kinit: Cannot
read password while getting initial credentials
[Wed Jun 04 11:35:55.156946 2025] [wsgi:error] [pid 2246313:tid 2246537]
[remote some_ip_address_here:61518]
[Wed Jun 04 11:36:26.803929 2025] [wsgi:error] [pid 2246311:tid 2246534]
[remote some_ip_address_here:61553] ipa: INFO: WSGI change_password.__call__:
[Wed Jun 04 11:36:26.804148 2025] [wsgi:error] [pid 2246311:tid 2246534]
[remote some_ip_address_here:61553] ipa: INFO: WSGI change_password: start
password change of user 'admin-username'
[Wed Jun 04 11:36:26.902851 2025] [wsgi:error] [pid 2246311:tid 2246534]
[remote some_ip_address_here:61553] ipa: INFO: 200 Success: The old password or
username is not correct.
[Wed Jun 04 11:37:17.224162 2025] [wsgi:error] [pid 2246314:tid 2246540]
[remote some_ip_address_here:61690] ipa: INFO: WSGI change_password.__call__:
[Wed Jun 04 11:37:17.224380 2025] [wsgi:error] [pid 2246314:tid 2246540]
[remote some_ip_address_here:61690] ipa: INFO: WSGI change_password: start
password change of user 'admin-username'
[Wed Jun 04 11:37:17.326511 2025] [wsgi:error] [pid 2246314:tid 2246540]
[remote some_ip_address_here:61690] ipa: INFO: 200 Success: The old password or
username is not correct.
[Wed Jun 04 11:39:04.879577 2025] [wsgi:error] [pid 2246311:tid 2246534]
[remote some_ip_address_here:62300] ipa: INFO: 401 Unauthorized: kinit: Cannot
read password while getting initial credentials
[Wed Jun 04 11:39:04.879628 2025] [wsgi:error] [pid 2246311:tid 2246534]
[remote some_ip_address_here:62300]
[Wed Jun 04 11:39:22.247446 2025] [wsgi:error] [pid 2246314:tid 2246540]
[remote some_ip_address_here:62300] ipa: INFO: WSGI change_password.__call__:
[Wed Jun 04 11:39:22.247637 2025] [wsgi:error] [pid 2246314:tid 2246540]
[remote some_ip_address_here:62300] ipa: INFO: WSGI change_password: start
password change of user 'admin-username'
[Wed Jun 04 11:39:22.341247 2025] [wsgi:error] [pid 2246314:tid 2246540]
[remote some_ip_address_here:62300] ipa: INFO: 200 Success: The old password or
username is not correct.
krb5kdc log snippet:
Jun 04 11:39:04 ipa-primary.ipa.domain.com krb5kdc[1301542](info): AS_REQ (4
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.15.201.129:
CLIENT KEY EXPIRED: [email protected] for
krbtgt/[email protected], Password has expired
Jun 04 11:39:04 ipa-primary.ipa.domain.com krb5kdc[1301542](info): AS_REQ (4
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.15.201.129:
NEEDED_PREAUTH: [email protected] for
kadmin/[email protected], Additional pre-authentication required
Jun 04 11:39:04 ipa-primary.ipa.domain.com krb5kdc[1301542](info): AS_REQ (4
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.15.201.129:
ISSUE: authtime 1749051544, etypes {rep=aes256-cts-hmac-sha384-192(20),
tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha384-192(20)},
[email protected] for kadmin/[email protected]
I can provide other redacted logs if needed.
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
