>>>Does it work for the same user from the client if you reset password on the server, authenticate from the client and then force reset again on the server? When I force reset a user, he stil faces the same error "token manipulation" when tries to login to a client. However, when he tries getting into the server, he now gets prompted for the password change and is successfully able to get through.
So, at this point we have a workaround though something seems not right at the clients. >>>Can you add a new client and see whether it works there? >>Have you tried re-installing the client? Yes, I did try reinstalling but that did not help >>>Sorry, I meant the full krb5_child.log ... This is how I get the logs in krb5_child. when a user tries to authenticate with the random password that I generated, WARNING: Your password has expired. You must change your password now and login again! Changing password for user hq-testuser. Current Password: New password: Retype new password: passwd: Authentication token manipulation erro And on the krb5_child.log, these are the entries (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: [/etc/krb5.keytab] (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ [email protected]] (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [match_principal] (0x1000): Principal matched to the sample (host/ [email protected]). (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [main] (0x0400): Will perform password change (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [changepw_child] (0x1000): Password change operation (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004]]]] [changepw_child] (0x0400): Attempting kinit for realm [TEST.COM] This does not go beyond this. however, when i attempt another login , the logs start moving from this point( the time stamp start from 6:54 AM) WARNING: Your password has expired. You must change your password now and login again! Changing password for user hq-testuser. Current Password: New password: Retype new password: passwd: Authentication token manipulation erro now the krb5_child.log adds following lines (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400): krb5_child started. (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer] (0x1000): total buffer size: [134]TEST (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer] (0x0100): cmd [241] uid [710600001] gid [710600001] validate [true] enterprise principal [false] offline [false] UPN [[email protected]] (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: [/etc/krb5.keytab] (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ [email protected]] (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [match_principal] (0x1000): Principal matched to the sample (host/ [email protected]). (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400): Will perform online auth (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [TEST.COM] (Tue Jan 13 06:54:53 2015) [[sssd[krb5_child[23514]]]] [get_and_save_tgt] (0x0020): 981: [-1765328361][Password has expired] (Tue Jan 13 06:54:53 2015) [[sssd[krb5_child[23514]]]] [tgt_req_child] (0x1000): Password was expired (Tue Jan 13 06:54:56 2015) [[sssd[krb5_child[23514]]]] [k5c_send_data] (0x0200): Received error code 1432158213 (Tue Jan 13 06:54:56 2015) [[sssd[krb5_child[23514]]]] [main] (0x0400): krb5_child completed successfully (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400): krb5_child started. (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer] (0x1000): total buffer size: [134] (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer] (0x0100): cmd [247] uid [710600001] gid [710600001] validate [true] enterprise principal [false] offline [false] UPN [[email protected]] (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: [/etc/krb5.keytab] (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ [email protected]] (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [match_principal] (0x1000): Principal matched to the sample (host/ [email protected]). (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400): Will perform password change checks (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [changepw_child] (0x1000): Password change operation (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595]]]] [changepw_child] (0x0400): Attempting kinit for realm [TEST.COM] (Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [changepw_child] (0x1000): Initial authentication for change password operation successful. (Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [k5c_send_data] (0x0200): Received error code 0 (Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595]]]] [main] (0x0400): krb5_child completed successfully (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [main] (0x0400): krb5_child started. (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer] (0x1000): total buffer size: [153] (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer] (0x0100): cmd [246] uid [710600001] gid [710600001] validate [true] enterprise principal [false] offline [false] UPN [[email protected]] (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_710600001_XXXXXX] keytab: [/etc/krb5.keytab] (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ [email protected]] (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [match_principal] (0x1000): Principal matched to the sample (host/ [email protected]). (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [main] (0x0400): Will perform password change (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [changepw_child] (0x1000): Password change operation (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241]]]] [changepw_child] (0x0400): Attempting kinit for realm [TEST.COM] and again the last line is attempting kinit for realm Thanks, Rakesh On Tue, Jan 13, 2015 at 1:05 AM, Dmitri Pal <[email protected]> wrote: > On 01/12/2015 12:55 PM, Rakesh Rajasekharan wrote: > > This is the full log, > > Jan 12 17:45:15 10-5-68-5 sshd[29753]: pam_sss(sshd:account): User info > message: Password expired. Change your password now. > Jan 12 17:45:15 10-5-68-5 sshd[29753]: Accepted password for hq-testuser > from 10.5.68.184 port 54048 ssh2 > Jan 12 17:45:16 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session > opened for user hq-testuser by (uid=0) > Jan 12 17:45:16 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user > "hq-testuser" does not exist in /etc/passwd > Jan 12 17:45:35 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user > "hq-testuser" does not exist in /etc/passwd > Jan 12 17:45:41 10-5-68-5 passwd: pam_sss(passwd:chauthtok): Password > change failed for user hq-testuser: 22 (Authentication token lock busy) > Jan 12 17:45:43 10-5-68-5 sshd[30329]: Received disconnect from > 10.5.68.184: 11: disconnected by user > Jan 12 17:45:43 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session > closed for user hq-testuser > > > >> Does it happen for all users or only users that you migrated? > Yes it happens for all, I created a new user ( hq-testuser) is a fresh > one that I created. > > I found a workaround for this , users are able to successfully change > the password by connecting to the IPA master server. > So, its only the ipa clients that have the issue. > > > Does it work for the same user from the client if you reset password on > the server, authenticate from the client and then force reset again on the > server? > > Can you add a new client and see whether it works there? > Have you tried re-installing the client? > > > > Thanks, > Rakesh > > On Mon, Jan 12, 2015 at 10:57 PM, Jakub Hrozek <[email protected]> wrote: > >> On Mon, Jan 12, 2015 at 04:01:32PM +0530, Rakesh Rajasekharan wrote: >> > under /var/log/secure.. have this error >> > passwd: pam_sss(passwd:chauthtok): Password change failed for user >> > hq-testuser: 22 (Authentication token lock busy) >> >> It looks like the log was trucated, can you post more context? >> >> Authentication token lock busy usually means the kadmin servers were >> offline.. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
