https://bugzilla.redhat.com/show_bug.cgi?id=864493 (Red Hat Enterprise Linux 6)
Description of problem: When new IPA users are added to customer environment, they should be prompted to change their temporary password...but they are not prompted correctly. I am not 100% sure which component this should be against, so I went with a generic IPA (maybe krb5?). Version-Release number of selected component (if applicable): ipa-client-2.2.0-16.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 krb5-libs-1.9-33.el6_3.2.x86_64 krb5-workstation-1.9-33.el6_3.2.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 pam_krb5-2.3.11-9.el6.x86_64 sssd-1.8.0-32.el6.x86_64 sssd-client-1.8.0-32.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Add IPA user 2. Attempt to ssh into client 3. See that password is expired 4. Notice that there is no prompt to change Actual results: Not prompted to change password Expected results: Prompted to change password Additional info: This is an odd one, and it may be something with the environment, not sure. Here is the behavior the customer is seeing: --- I stopped the IPA services on everything but node 1 (slpidml01.) Now when I connect with jzhang (or jzhang1) I appear to get prompted correctly: [jebalicki@mo0031472 ~]$ ssh jzhang@slpmeetl01.unix.magellanhealth.com Password: Password expired. Change your password now. Current Password: [jebalicki@mo0031472 ~]$ ssh jzhang1@slpmeetl01.unix.magellanhealth.com Password: Password expired. Change your password now. Current Password: However, with the newtestuser I created, I don't get the correct prompt: [jebalicki@mo0031472 ~]$ ssh newusertest@slpmeetl01.unix.magellanhealth.com Password: Warning: Your password will expire in less than one hour. Password: This appears to be a combination of a replication issue and (possibly) corruption? I don't know. Here's the info for all the users that I can dump from IPA: [jebalicki@slpidml01 ~]$ ipa user-show --all jzhang ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml ipa: INFO: Forwarding 'user_show' to server u'http://slpidml01.unix.magellanhealth.com/ipa/xml' dn: uid=jzhang,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com User login: jzhang First name: Jibo Last name: Zhang Full name: Jibo Zhang Display name: Jibo Zhang Initials: JZ Home directory: /home/jzhang GECOS field: Jibo Zhang Login shell: /bin/sh Kerberos principal: jzhang@UNIX.MAGELLANHEALTH.COM UID: 1115600161 GID: 1115600161 Account disabled: False Password: True Member of groups: ipausers Member of HBAC rule: DIG access Kerberos keys available: True ipauniqueid: 6a04565e-1174-11e2-9e03-005056b46fe5 krbextradata: AAK2GHNQcm9vdC9hZG1pbkBVTklYLk1BR0VMTEFOSEVBTFRILkNPTQA= krblastpwdchange: 20121008181726Z krblastsuccessfulauth: 20121008200158Z krbpasswordexpiration: 20121008181726Z krbpwdpolicyreference: cn=global_policy,cn=UNIX.MAGELLANHEALTH.COM,cn=kerbero s,dc=unix,dc=magellanhealth,dc=com mepmanagedentry: cn=jzhang,cn=groups,cn=accounts,dc=unix,dc=magellanhealth,dc=com objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry [jebalicki@slpidml01 ~]$ ipa user-show --all jebalicki ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml ipa: INFO: Forwarding 'user_show' to server u'http://slpidml01.unix.magellanhealth.com/ipa/xml' dn: uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com User login: jebalicki First name: Jason Last name: Balicki Full name: Jason Balicki Display name: Jason Balicki Initials: JB Home directory: /home/jebalicki GECOS field: Jason Balicki Login shell: /bin/bash Kerberos principal: jebalicki@UNIX.MAGELLANHEALTH.COM UID: 1115600009 GID: 1115600009 Account disabled: False Password: True Member of groups: admins, ipausers, unixadmins, desktopusers Roles: helpdesk, user administrator, it specialist, it security specialist, security architect Member of Sudo rule: test rule, become-oracle, jason-test Indirect Member of Sudo rule: tds-web-restart, become-cdcadmin, become-datarepl, become- root, become-git, avaya-become-root, desktop-web Indirect Member of HBAC rule: tds-access, dba-access, admin access Kerberos keys available: True ipauniqueid: 6cde951a-79b2-11e1-9931-005056b46fe5 krbextradata: AAK42nJQa2FkbWluZEBVTklYLk1BR0VMTEFOSEVBTFRILkNPTQA= krblastadminunlock: 20120330221408Z krblastfailedauth: 20121008184609Z krblastpwdchange: 20121008135256Z krblastsuccessfulauth: 20121008200642Z krbloginfailedcount: 0 krbpasswordexpiration: 20121207135256Z krbpwdpolicyreference: cn=global_policy,cn=UNIX.MAGELLANHEALTH.COM,cn=kerbero s,dc=unix,dc=magellanhealth,dc=com krbticketflags: 128 mepmanagedentry: cn=jebalicki,cn=groups,cn=accounts,dc=unix,dc=magellanhealth,dc=com objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, mepOriginEntry [jebalicki@slpidml01 ~]$ ipa user-show --all jzhang1 ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml ipa: INFO: Forwarding 'user_show' to server u'http://slpidml01.unix.magellanhealth.com/ipa/xml' dn: uid=jzhang1,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com User login: jzhang1 First name: Jibo Last name: Zhang Full name: Jibo Zhang Display name: Jibo Zhang Initials: JZ Home directory: /home/jzhang1 GECOS field: Jibo Zhang Login shell: /bin/sh Kerberos principal: jzhang1@UNIX.MAGELLANHEALTH.COM UID: 1115600160 GID: 1115600160 Account disabled: False Password: True Member of groups: ipausers Member of HBAC rule: DIG access Kerberos keys available: True ipauniqueid: 381def42-1174-11e2-8fd9-005056b46fe5 krbextradata: AAJiGHNQcm9vdC9hZG1pbkBVTklYLk1BR0VMTEFOSEVBTFRILkNPTQA= krblastpwdchange: 20121008181602Z krblastsuccessfulauth: 20121008200411Z krbpasswordexpiration: 20121008181602Z krbpwdpolicyreference: cn=global_policy,cn=UNIX.MAGELLANHEALTH.COM,cn=kerbero s,dc=unix,dc=magellanhealth,dc=com mepmanagedentry: cn=jzhang1,cn=groups,cn=accounts,dc=unix,dc=magellanhealth,dc=com objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry [jebalicki@slpidml01 ~]$ ipa user-show --all newusertest ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml ipa: INFO: Forwarding 'user_show' to server u'http://slpidml01.unix.magellanhealth.com/ipa/xml' dn: uid=newusertest,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com User login: newusertest First name: newuser Last name: test Full name: newuser test Display name: newuser test Initials: nt Home directory: /home/newusertest GECOS field: newuser test Login shell: /bin/sh Kerberos principal: newusertest@UNIX.MAGELLANHEALTH.COM UID: 1115600162 GID: 1115600162 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True ipauniqueid: d3aa0286-1177-11e2-8fd9-005056b46fe5 krbextradata: AAJNMXNQcm9vdC9hZG1pbkBVTklYLk1BR0VMTEFOSEVBTFRILkNPTQA= krblastpwdchange: 20121008200221Z krblastsuccessfulauth: 20121008200231Z krbloginfailedcount: 0 krbpasswordexpiration: 20121008200221Z krbpwdpolicyreference: cn=global_policy,cn=UNIX.MAGELLANHEALTH.COM,cn=kerbero s,dc=unix,dc=magellanhealth,dc=com mepmanagedentry: cn=newusertest,cn=groups,cn=accounts,dc=unix,dc=magellanhealth,dc=com objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry --- Let me try to explain what he means. "slpidml01" is the IPA master. He has 3 replicas in the environment I believe, but he shut those down for the test above. "jzhang1" is a user that was added to the environment prior to this issue. As you can see, "jzhang1" gets prompted properly for a password change. "newusertest" is a user that was added to the environment after the issue began and is not prompted properly for a password change. I will attach some sssd debug logs to the bz, but let me know what else you need.
The user is not being prompted to change the password because HBAC is denying the login.
confirmed that this was a misconfigured HBAC rule, closing
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.0.1 (bug fixing)
Login to comment on this ticket.