https://bugzilla.redhat.com/show_bug.cgi?id=822350 (Red Hat Enterprise Linux 6)
Description of problem: When user is migrated from a remote LDAP, he needs to migrate his password in IPA hosted page in https://IPA.DOMAIN/ipa/migration/. However, when I migrated the user and then his password on the page, I could not kinit as that user because IPA kept rejecting the new password. When I tried the same password change with password reset by admin, it worked: # ipa migrate-ds ldap://vm-074.idm.lab.bos.redhat.com --with-compat --schema RFC2307 --user-container ou=People --group-container ou=users,ou=Groups Password: ----------- migrate-ds: ----------- Migrated: user: tu, tu1, tu2, tu3 group: tu, tu1, tu2, tu3 Failed user: Failed group: ---------- Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at https://your.domain/ipa/migration/ before they can use their Kerberos accounts. >>> Now, "tu" password was migrated on given page # kinit tu Password for tu@IDM.LAB.BOS.REDHAT.COM: Password expired. You must change it now. Enter new password: Enter it again: Password change rejected. Please try again. Enter new password: Enter it again: Password change rejected. Please try again. Enter new password: kinit: Password read interrupted while getting initial credentials # kinit admin Password for admin@IDM.LAB.BOS.REDHAT.COM: # ipa passwd tu New Password: Enter New Password again to verify: ------------------------------------------------ Changed password for "tu@IDM.LAB.BOS.REDHAT.COM" ------------------------------------------------ # kinit tu Password for tu@IDM.LAB.BOS.REDHAT.COM: Password expired. You must change it now. Enter new password: Enter it again: >>> Password change succeeded krb5kdc log: ... May 17 02:26:53 vm-034.idm.lab.bos.redhat.com krb5kdc[4738](info): AS_REQ (4 etypes {18 17 16 23}) 10.16.78.34: CLIENT KEY EXPIRED: tu@IDM.LAB.BOS.REDHAT.COM for krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM, Password has expired May 17 02:26:53 vm-034.idm.lab.bos.redhat.com krb5kdc[4738](info): AS_REQ (4 etypes {18 17 16 23}) 10.16.78.34: NEEDED_PREAUTH: tu@IDM.LAB.BOS.REDHAT.COM for kadmin/changepw@IDM.LAB.BOS.REDHAT.COM, Additional pre-authentication required May 17 02:26:56 vm-034.idm.lab.bos.redhat.com krb5kdc[4738](info): AS_REQ (4 etypes {18 17 16 23}) 10.16.78.34: ISSUE: authtime 1337236016, etypes {rep=18 tkt=18 ses=18}, tu@IDM.LAB.BOS.REDHAT.COM for kadmin/changepw@IDM.LAB.BOS.REDHAT.COM May 17 02:27:44 vm-034.idm.lab.bos.redhat.com krb5kdc[4738](info): AS_REQ (4 etypes {18 17 16 23}) 10.16.78.34: NEEDED_PREAUTH: admin@IDM.LAB.BOS.REDHAT.COM for krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM, Additional pre-authentication required May 17 02:27:45 vm-034.idm.lab.bos.redhat.com krb5kdc[4738](info): AS_REQ (4 etypes {18 17 16 23}) 10.16.78.34: ISSUE: authtime 1337236065, etypes {rep=18 tkt=18 ses=18}, admin@IDM.LAB.BOS.REDHAT.COM for krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM May 17 02:29:08 vm-034.idm.lab.bos.redhat.com krb5kdc[4738](info): TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.34: ISSUE: authtime 1337236065, etypes {rep=18 tkt=18 ses=18}, admin@IDM.LAB.BOS.REDHAT.COM for HTTP/vm-034.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM May 17 02:29:08 vm-034.idm.lab.bos.redhat.com krb5kdc[4738](info): TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.34: ISSUE: authtime 1337236065, etypes {rep=18 tkt=18 ses=18}, HTTP/vm-034.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM for ldap/vm-034.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM May 17 02:29:08 vm-034.idm.lab.bos.redhat.com krb5kdc[4738](info): ... CONSTRAINED-DELEGATION s4u-client=admin@IDM.LAB.BOS.REDHAT.COM May 17 02:29:19 vm-034.idm.lab.bos.redhat.com krb5kdc[4738](info): AS_REQ (4 etypes {18 17 16 23}) 10.16.78.34: CLIENT KEY EXPIRED: tu@IDM.LAB.BOS.REDHAT.COM for krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM, Password has expired May 17 02:29:19 vm-034.idm.lab.bos.redhat.com krb5kdc[4738](info): AS_REQ (4 etypes {18 17 16 23}) 10.16.78.34: NEEDED_PREAUTH: tu@IDM.LAB.BOS.REDHAT.COM for kadmin/changepw@IDM.LAB.BOS.REDHAT.COM, Additional pre-authentication required May 17 02:29:21 vm-034.idm.lab.bos.redhat.com krb5kdc[4738](info): AS_REQ (4 etypes {18 17 16 23}) 10.16.78.34: ISSUE: authtime 1337236161, etypes {rep=18 tkt=18 ses=18}, tu@IDM.LAB.BOS.REDHAT.COM for kadmin/changepw@IDM.LAB.BOS.REDHAT.COM May 17 02:29:27 vm-034.idm.lab.bos.redhat.com krb5kdc[4738](info): AS_REQ (4 etypes {18 17 16 23}) 10.16.78.34: NEEDED_PREAUTH: tu@IDM.LAB.BOS.REDHAT.COM for krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM, Additional pre-authentication required May 17 02:29:27 vm-034.idm.lab.bos.redhat.com krb5kdc[4738](info): AS_REQ (4 etypes {18 17 16 23}) 10.16.78.34: ISSUE: authtime 1337236167, etypes {rep=18 tkt=18 ses=18}, tu@IDM.LAB.BOS.REDHAT.COM for krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM Version-Release number of selected component (if applicable): ipa-server-2.2.0-13.el6.x86_64 How reproducible: Steps to Reproduce: 1. Install IPA server 2. Enable migration and migrate users from remote LDAP 3. Migrate user password on https://$IPAHOSTNAME/ipa/migration/ 4. Try to kinit as user Actual results: Password change is prompted, but password is rejected Expected results: Password change is prompted, new password is accepted
master: 46c6ff6[[BR]] ipa-2-2: f883b25
Metadata Update from @mkosek: - Issue assigned to simo - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/05
Login to comment on this ticket.