Andy Singleton wrote:
Hello,
I am trying to install a rhel6 machine with the ipa-1.2.2 client.
Everything appears to work fine, with the exception of updating users
passwords from the client.
From the user perspective, I get this:
/Changing password for user andytest./
/Kerberos 5 Password: /
/New password: /
/Retype new password: /
/passwd: Authentication token manipulation error/
From the local secure log, I see this:
/Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
"andytest" does not exist in /etc/passwd/
/Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user
"andytest" does not exist in /etc/passwd/
/Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change
failed for [email protected]: Cannot contact any KDC for
requested realm/
There are no local or network firewalls between the client and the IPA
server, and every other piece of IPA functionality appears to work fine.
On the IPA server itself, I see this in krb5kdc:
Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth
type found: Success
Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: [email protected] for
kadmin/[email protected], Preauthentication failed
Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: [email protected] for
kadmin/[email protected], Additional pre-authentication required
Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18
17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18
tkt=18 ses=18}, [email protected] for
kadmin/[email protected] <mailto:kadmin/[email protected]>
nsswitch.conf has the usual stuff:
/passwd: files ldap/
/shadow: files ldap/
/group: files ldap/
I’m not sure what else to check.
Andy
Is ipa_kpasswd running on the IPA server?
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
