This is basically the log when I attempt to change the password: Aug 7 16:59:19 mactestvm.mtl.dd.net SecurityAgent[271]: *** WARNING: -[NSImage compositeToPoint:operation:fraction:] is deprecated in MacOSX 10.8 and later. Please use -[NSImage drawAtPoint:fromRect:operation:fraction:] instead. Aug 7 16:59:19 mactestvm.mtl.dd.net SecurityAgent[271]: *** WARNING: -[NSImage compositeToPoint:fromRect:operation:fraction:] is deprecated in MacOSX 10.8 and later. Please use -[NSImage drawAtPoint:fromRect:operation:fraction:] instead. Aug 7 16:59:26 mactestvm.mtl.dd.net SecurityAgent[271]: User info context values set for testuser2 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got user: testuser2 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got ruser: (null) Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got service: authorization Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Context initialised Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Stashing kcm credentials in enviroment for kcminit: testuser2 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got user: testuser2 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got ruser: (null) Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got service: authorization Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Context initialised Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Created principal: testuser2 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done krb5_parse_name() Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got principal: [email protected] Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Got password Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done getpwnam() Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Attempting to get forwardable TGT. Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: krb5_sendto_context is called on main thread, its a blocking api Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Attempting to get non-forwardable TGT. Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Kerberos 5 error Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Error krb5_get_init_creds_password(): Password has expired Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done cleanup2 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Done cleanup3 Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): Kerberos 5 refuses you Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): pam_sm_authenticate: ntlm Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_authenticate(): OpenDirectory - The authtok is expired or requires updating. Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800. Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: in pam_sm_acct_mgmt(): OpenDirectory - Password expired. Aug 7 16:59:26 mactestvm.mtl.dd.net authorizationhost[283]: Failed to authenticate user <testuser2> (error: 10). Aug 7 16:59:43 mactestvm.mtl.dd.net WindowServer[97]: 3891612: App SecurityAgent cannot order in untagged windows before login. Aug 7 16:59:43 mactestvm.mtl.dd.net SecurityAgent[271]: CGSOrderWindowList
Does this rings a bell? -- Davis Goodman Directeur Informatique | IT Manager 5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4 Tél: +1 (514) 360-3253 x104 Cell: +1 (514) 994-7360 On 2013-08-07, at 15:41 , Dmitri Pal <[email protected]> wrote: > On 08/07/2013 10:27 AM, Davis Goodman wrote: >> When I mention GUI I'm talking about the Mac OSX Login screen not through a >> browser >> >> >> -- >> >> >> Davis Goodman >> Directeur Informatique | IT Manager >> >> 5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4 >> Tél: +1 (514) 360-3253 x104 Cell: +1 (514) 994-7360 >> >> >> On 2013-08-07, at 10:07 , Rob Crittenden <[email protected]> wrote: >> >>> Davis Goodman wrote: >>>> Hi Brian, Lynn, >>>> >>>> As far as Linux client, this is not my issue for now, I believe the Linux >>>> setup is quite straight forward and the password change at first login >>>> seems to work without an issue. >>>> >>>> My main concern is on Mountain Lion 10.8.x, >>>> >>>> At this point I've managed to bind the OSX machine to the IPA server >>>> without any issue following this guide: >>>> >>>> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 >>>> >>>> I also have all the autmounts configured via LDAP using this: >>>> https://ssl.apple.com/business/docs/Autofs.pdf on page 16. >>>> >>>> My main issue right now seems to be at the GUI login. The applet shows up >>>> for password change but doesn't seem to do anything. When I press continue >>>> the applet comes back and this goes in a loop until I hit "Cancel". >>>> >>>> My IPA versions are as follows: >>>> ipa-admintools.x86_64 3.0.0-26.el6_4.4 >>>> ipa-client.x86_64 3.0.0-26.el6_4.4 >>>> ipa-gothic-fonts.noarch 003.02-4.2.el6 >>>> ipa-mincho-fonts.noarch 003.02-3.1.el6 >>>> ipa-pgothic-fonts.noarch 003.02-4.1.el6 >>>> ipa-pmincho-fonts.noarch 003.02-3.1.el6 >>>> ipa-python.x86_64 3.0.0-26.el6_4.4 >>>> ipa-server.x86_64 3.0.0-26.el6_4.4 >>>> ipa-server-selinux.x86_64 3.0.0-26.el6_4.4 >>>> ipa-server-trust-ad.x86_64 3.0.0-26.el6_4.4 >>>> >>>> As mentioned in my first post, if I make the password change at the >>>> terminal prompt, I am then able to login without a password change prompt. >>>> >>>> Not sure if I'll be able to go through this issue unless someone as >>>> already experienced this. >>>> >>>> Davis >>> >>> What browser are you using? >>> >>> Have you tried the GUI with a new user from a Linux client? >>> >>> I'm thinking this is a browser issue rather than something with OSX as the >>> majority of the work is done on the server. >>> >>> rob >>> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > > Not an expert on OSX. > I wonder whether the UI prompt supports password change workflow. May be it > does but needs to be explicitly enabled? > There should be some logs on the OSX that would indicate what is going on > when the server responds with the password change prompt. > I would suggest starting troubleshooting efforts there. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > > www.redhat.com/carveoutcosts/ > > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
