freeipa

Clone
Source Code
GIT

#3173 Newly added IPA users are not getting prompted to change password properly when password is expired
Closed: Invalid None Opened 11 years ago by rcritten.

Closed: Invalid
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=864493 (Red Hat Enterprise Linux 6)

Description of problem:
When new IPA users are added to customer environment, they should be prompted
to change their temporary password...but they are not prompted correctly. I am
not 100% sure which component this should be against, so I went with a generic
IPA (maybe krb5?).

Version-Release number of selected component (if applicable):
ipa-client-2.2.0-16.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
krb5-libs-1.9-33.el6_3.2.x86_64
krb5-workstation-1.9-33.el6_3.2.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
sssd-1.8.0-32.el6.x86_64
sssd-client-1.8.0-32.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Add IPA user
2. Attempt to ssh into client
3. See that password is expired
4. Notice that there is no prompt to change

Actual results:
Not prompted to change password

Expected results:
Prompted to change password

Additional info:

This is an odd one, and it may be something with the environment, not sure.
Here is the behavior the customer is seeing:

---
I stopped the IPA services on everything but node 1 (slpidml01.)

Now when I connect with jzhang (or jzhang1) I appear to get prompted correctly:

[jebalicki@mo0031472 ~]$ ssh jzhang@slpmeetl01.unix.magellanhealth.com
Password:
Password expired. Change your password now.
Current Password:

[jebalicki@mo0031472 ~]$ ssh jzhang1@slpmeetl01.unix.magellanhealth.com
Password:
Password expired. Change your password now.
Current Password:

However, with the newtestuser I created, I don't get the correct prompt:

[jebalicki@mo0031472 ~]$ ssh newusertest@slpmeetl01.unix.magellanhealth.com
Password:
Warning: Your password will expire in less than one hour.

Password:

This appears to be a combination of a replication issue and (possibly)
corruption?  I don't know.

Here's the info for all the users that I can dump from IPA:

[jebalicki@slpidml01 ~]$ ipa user-show --all jzhang
ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml
ipa: INFO: Forwarding 'user_show' to server
u'http://slpidml01.unix.magellanhealth.com/ipa/xml'
  dn: uid=jzhang,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com
  User login: jzhang
  First name: Jibo
  Last name: Zhang
  Full name: Jibo Zhang
  Display name: Jibo Zhang
  Initials: JZ
  Home directory: /home/jzhang
  GECOS field: Jibo Zhang
  Login shell: /bin/sh
  Kerberos principal: jzhang@UNIX.MAGELLANHEALTH.COM
  UID: 1115600161
  GID: 1115600161
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Member of HBAC rule: DIG access
  Kerberos keys available: True
  ipauniqueid: 6a04565e-1174-11e2-9e03-005056b46fe5
  krbextradata: AAK2GHNQcm9vdC9hZG1pbkBVTklYLk1BR0VMTEFOSEVBTFRILkNPTQA=
  krblastpwdchange: 20121008181726Z
  krblastsuccessfulauth: 20121008200158Z
  krbpasswordexpiration: 20121008181726Z
  krbpwdpolicyreference: cn=global_policy,cn=UNIX.MAGELLANHEALTH.COM,cn=kerbero
s,dc=unix,dc=magellanhealth,dc=com
  mepmanagedentry:
cn=jzhang,cn=groups,cn=accounts,dc=unix,dc=magellanhealth,dc=com
  objectclass: top, person, organizationalperson, inetorgperson, inetuser,
posixaccount,
               krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser,
               ipaSshGroupOfPubKeys, mepOriginEntry
[jebalicki@slpidml01 ~]$ ipa user-show --all jebalicki
ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml
ipa: INFO: Forwarding 'user_show' to server
u'http://slpidml01.unix.magellanhealth.com/ipa/xml'
  dn: uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com
  User login: jebalicki
  First name: Jason
  Last name: Balicki
  Full name: Jason Balicki
  Display name: Jason Balicki
  Initials: JB
  Home directory: /home/jebalicki
  GECOS field: Jason Balicki
  Login shell: /bin/bash
  Kerberos principal: jebalicki@UNIX.MAGELLANHEALTH.COM
  UID: 1115600009
  GID: 1115600009
  Account disabled: False
  Password: True
  Member of groups: admins, ipausers, unixadmins, desktopusers
  Roles: helpdesk, user administrator, it specialist, it security specialist,
security
         architect
  Member of Sudo rule: test rule, become-oracle, jason-test
  Indirect Member of Sudo rule: tds-web-restart, become-cdcadmin,
become-datarepl, become-
                                root, become-git, avaya-become-root,
desktop-web
  Indirect Member of HBAC rule: tds-access, dba-access, admin access
  Kerberos keys available: True
  ipauniqueid: 6cde951a-79b2-11e1-9931-005056b46fe5
  krbextradata: AAK42nJQa2FkbWluZEBVTklYLk1BR0VMTEFOSEVBTFRILkNPTQA=
  krblastadminunlock: 20120330221408Z
  krblastfailedauth: 20121008184609Z
  krblastpwdchange: 20121008135256Z
  krblastsuccessfulauth: 20121008200642Z
  krbloginfailedcount: 0
  krbpasswordexpiration: 20121207135256Z
  krbpwdpolicyreference: cn=global_policy,cn=UNIX.MAGELLANHEALTH.COM,cn=kerbero
s,dc=unix,dc=magellanhealth,dc=com
  krbticketflags: 128
  mepmanagedentry:
cn=jebalicki,cn=groups,cn=accounts,dc=unix,dc=magellanhealth,dc=com
  objectclass: top, person, organizationalperson, inetorgperson, inetuser,
posixaccount,
               krbprincipalaux, krbticketpolicyaux, ipaobject, mepOriginEntry
[jebalicki@slpidml01 ~]$ ipa user-show --all jzhang1
ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml
ipa: INFO: Forwarding 'user_show' to server
u'http://slpidml01.unix.magellanhealth.com/ipa/xml'
  dn: uid=jzhang1,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com
  User login: jzhang1
  First name: Jibo
  Last name: Zhang
  Full name: Jibo Zhang
  Display name: Jibo Zhang
  Initials: JZ
  Home directory: /home/jzhang1
  GECOS field: Jibo Zhang
  Login shell: /bin/sh
  Kerberos principal: jzhang1@UNIX.MAGELLANHEALTH.COM
  UID: 1115600160
  GID: 1115600160
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Member of HBAC rule: DIG access
  Kerberos keys available: True
  ipauniqueid: 381def42-1174-11e2-8fd9-005056b46fe5
  krbextradata: AAJiGHNQcm9vdC9hZG1pbkBVTklYLk1BR0VMTEFOSEVBTFRILkNPTQA=
  krblastpwdchange: 20121008181602Z
  krblastsuccessfulauth: 20121008200411Z
  krbpasswordexpiration: 20121008181602Z
  krbpwdpolicyreference: cn=global_policy,cn=UNIX.MAGELLANHEALTH.COM,cn=kerbero
s,dc=unix,dc=magellanhealth,dc=com
  mepmanagedentry:
cn=jzhang1,cn=groups,cn=accounts,dc=unix,dc=magellanhealth,dc=com
  objectclass: top, person, organizationalperson, inetorgperson, inetuser,
posixaccount,
               krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser,
               ipaSshGroupOfPubKeys, mepOriginEntry
[jebalicki@slpidml01 ~]$ ipa user-show --all newusertest
ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml
ipa: INFO: Forwarding 'user_show' to server
u'http://slpidml01.unix.magellanhealth.com/ipa/xml'
  dn: uid=newusertest,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com
  User login: newusertest
  First name: newuser
  Last name: test
  Full name: newuser test
  Display name: newuser test
  Initials: nt
  Home directory: /home/newusertest
  GECOS field: newuser test
  Login shell: /bin/sh
  Kerberos principal: newusertest@UNIX.MAGELLANHEALTH.COM
  UID: 1115600162
  GID: 1115600162
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
  ipauniqueid: d3aa0286-1177-11e2-8fd9-005056b46fe5
  krbextradata: AAJNMXNQcm9vdC9hZG1pbkBVTklYLk1BR0VMTEFOSEVBTFRILkNPTQA=
  krblastpwdchange: 20121008200221Z
  krblastsuccessfulauth: 20121008200231Z
  krbloginfailedcount: 0
  krbpasswordexpiration: 20121008200221Z
  krbpwdpolicyreference: cn=global_policy,cn=UNIX.MAGELLANHEALTH.COM,cn=kerbero
s,dc=unix,dc=magellanhealth,dc=com
  mepmanagedentry:
cn=newusertest,cn=groups,cn=accounts,dc=unix,dc=magellanhealth,dc=com
  objectclass: top, person, organizationalperson, inetorgperson, inetuser,
posixaccount,
               krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser,
               ipaSshGroupOfPubKeys, mepOriginEntry
---

Let me try to explain what he means. "slpidml01" is the IPA master. He has 3
replicas in the environment I believe, but he shut those down for the test
above. "jzhang1" is a user that was added to the environment prior to this
issue. As you can see, "jzhang1" gets prompted properly for a password change.

"newusertest" is a user that was added to the environment after the issue began
and is not prompted properly for a password change.

I will attach some sssd debug logs to the bz, but let me know what else you
need.

The user is not being prompted to change the password because HBAC is denying the login.

confirmed that this was a misconfigured HBAC rule, closing

Metadata Update from @rcritten:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 3.0.1 (bug fixing)
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
0
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=864493
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.