If the following config option is set:
Default user authentication types: otp
then when new users are created and asked to set their password (or when their passwords expire in general) they are not able to set a new one. First they are asked for a combination of password and tokencode (normal OTP authentication) and then whatever is specified for new password is not accepted.
Can you provide steps to reproduce? This workflow works for me:
# ipa user-add foo --user-auth-type=otp ... # ipa passwd foo ... # ipa otptoken-add --owner=foo --qrcode ... # kinit -T $CCACHE foo Enter OTP Token Value: Password expired. You must change it now. Enter new password: Enter it again: Enter OTP Token Value:
# ipa user-add rep4696 --first=user --last=name ... # ipa otptoken-add --owner=rep4696 --qrcode ... # ipa passwd rep4696 ... # ssh rep4696@localhost rep4696@localhost's password: Password expired. Change your password now. Creating home directory for rep4696. WARNING: Your password has expired. You must change your password now and login again! Changing password for user rep4696. Current Password: <-- Here I use current password + otp New password: <-- Here I use a new password (without otp) Retype new password: <-- Here I use the same password as previously (without otp) Password change failed. Server message: Old password not accepted. passwd: Authentication token manipulation error Connection to localhost closed.
I did the same test with password+otp when prompt for new password.
Did you re-use the OTP for "Current Password"?
No, reusing for current password has the following result:
# ssh rep4696@localhost rep4696@localhost's password: Password expired. Change your password now. Last login: Wed Nov 5 16:14:03 2014 from ::1 WARNING: Your password has expired. You must change your password now and login again! Changing password for user rep4696. Current Password: Password change failed. Server message: Old password not accepted. passwd: Authentication token manipulation error Connection to localhost closed.
i.e. fails before asking for new password.
I was able to reproduce it. I think it is related to this: https://fedorahosted.org/sssd/ticket/2287
After a debugging session, I determined that this appears to be a new issue with SSSD. I have opened a ticket there: https://fedorahosted.org/sssd/ticket/2484
Metadata Update from @ctria: - Issue assigned to npmccallum - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Log in to comment on this ticket.