Yes ipa_kpasswd is running. I have some additional information: kpasswd on the client does work, passwd does not.
This is fine, except when a user attempts to connect when they need a password reset - They get prompted to change it, but then the same error as before occurs. Andy -----Original Message----- From: Rob Crittenden [mailto:[email protected]] Sent: Tuesday, March 22, 2011 1:45 PM To: Andy Singleton Cc: [email protected] Subject: Re: [Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords Andy Singleton wrote: > Hello, > > I am trying to install a rhel6 machine with the ipa-1.2.2 client. > > Everything appears to work fine, with the exception of updating users > passwords from the client. > > From the user perspective, I get this: > > /Changing password for user andytest./ > > /Kerberos 5 Password: / > > /New password: / > > /Retype new password: / > > /passwd: Authentication token manipulation error/ > > From the local secure log, I see this: > > /Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user > "andytest" does not exist in /etc/passwd/ > > /Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user > "andytest" does not exist in /etc/passwd/ > > /Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change > failed for [email protected]: Cannot contact any KDC for > requested realm/ > > There are no local or network firewalls between the client and the IPA > server, and every other piece of IPA functionality appears to work fine. > > On the IPA server itself, I see this in krb5kdc: > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth > type found: Success > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 > 17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: [email protected] for > kadmin/[email protected], Preauthentication failed > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 > 17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: [email protected] for > kadmin/[email protected], Additional pre-authentication required > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 > 17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18 > tkt=18 ses=18}, [email protected] for > kadmin/[email protected] <mailto:kadmin/[email protected]> > > nsswitch.conf has the usual stuff: > > /passwd: files ldap/ > > /shadow: files ldap/ > > /group: files ldap/ > > I'm not sure what else to check. > > Andy Is ipa_kpasswd running on the IPA server? rob _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
