#4696 If OTP is activated by default users can't set their password when they are expired (or at the begining)
Closed: Invalid None Opened 9 years ago by ctria.

If the following config option is set:

Default user authentication types: otp

then when new users are created and asked to set their password (or when their passwords expire in general) they are not able to set a new one. First they are asked for a combination of password and tokencode (normal OTP authentication) and then whatever is specified for new password is not accepted.


Can you provide steps to reproduce? This workflow works for me:

# ipa user-add foo --user-auth-type=otp
...

# ipa passwd foo
...

# ipa otptoken-add --owner=foo --qrcode
...

# kinit -T $CCACHE foo
Enter OTP Token Value: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
Enter OTP Token Value:
# ipa user-add rep4696 --first=user --last=name
...
# ipa otptoken-add --owner=rep4696 --qrcode
...
# ipa passwd rep4696
...
# ssh rep4696@localhost
rep4696@localhost's password: 
Password expired. Change your password now.
Creating home directory for rep4696.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user rep4696.
Current Password:    <-- Here I use current password + otp
New password:        <-- Here I use a new password (without otp)
Retype new password: <-- Here I use the same password as previously (without otp)
Password change failed. Server message: Old password not accepted.
passwd: Authentication token manipulation error
Connection to localhost closed.

I did the same test with password+otp when prompt for new password.

Did you re-use the OTP for "Current Password"?

No, reusing for current password has the following result:

# ssh rep4696@localhost
rep4696@localhost's password: 
Password expired. Change your password now.
Last login: Wed Nov  5 16:14:03 2014 from ::1
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user rep4696.
Current Password: 
Password change failed. Server message: Old password not accepted.
passwd: Authentication token manipulation error
Connection to localhost closed.

i.e. fails before asking for new password.

I was able to reproduce it. I think it is related to this: https://fedorahosted.org/sssd/ticket/2287

After a debugging session, I determined that this appears to be a new issue with SSSD. I have opened a ticket there: https://fedorahosted.org/sssd/ticket/2484

Metadata Update from @ctria:
- Issue assigned to npmccallum
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

7 years ago

Log in to comment on this ticket.

Metadata