Discussion:
Mountain Lion GUI Login (Expired passwords / Mavericks too)
(too old to reply)
Jason Woods
2014-03-13 14:08:29 UTC
Permalink
Raw Message
Hi all,

This has been raised previously, here: https://www.redhat.com/archives/freeipa-users/2013-August/msg00043.html

I'm experiencing the same issue and I will summarise.

Mac OS X (Mavericks in my case, but it was the same before I upgraded it from Mountain Lion.)
Using RHEL 6.5 and ipa packages 3.0.0-37.

Directory Utility is connected to IPA domain using the RFC2307 templates, slightly modified so that the Groups is based from cn=compat,dc=domain and Users from cn=accounts,dc=domain, and so NFSHomeDirectory and HomeDirectory are set to "#/Users/$uid$". Reason for compat for groups is so membership works correctly (it needs memberUid format) and reason for accounts on Users is so all main info is available and regular change password works. Homes are set as such to keep everything local as I don't want networked home folders.

Logons work great. Groups are all populated fully. Users can go to System Preferences -> Users & Groups -> Change password and change password successfully. Home directories are kept local. Running the createmobileaccount manually allows an account to successfully be marked as mobile so credential cache works, even if the home directories are local (it seems the GUI won't do it properly, maybe because they're already local.) So far, fantastic.

Now if I create a new user in IPA. It will require a password change on logon.

When I logon on the Mac with this new user. The password box wiggles and a box appears underneath it. "Reset your password". Saying I need to set a new password. So I enter a new password and I verify it. Then I click "Reset Password" and it wiggle... no matter how many times I try, it doesn't move on.

The log I get is somewhat smaller as I've not yet added kerberos to the pam.d/authorization (shouldn't be required for this since regular change password works.) And possibly because less logging enabled but I'm not sure what to modify and how.

12:50:47 SecurityAgent: User info context values set for testuser
12:50:48 authorizationhost: Failed to authenticate user <testuser> (error: 10).

Any thoughts on what the issue may be? Apple issue maybe or some incompatibility on the FreeIPA side? Are there any logs from anywhere on the IPA that might help? I can see no apparent issues in the slapd access log, it seems to return successful for various attributes and just stop and no change comes in for the password - it doesn't seem to even request the global_policy which it does when using regular Change password.

Regards,

Jason
Robert Story
2014-03-13 14:29:09 UTC
Permalink
Raw Message
On Thu, 13 Mar 2014 14:08:29 +0000 Jason wrote:
JW> Now if I create a new user in IPA. It will require a password change on
JW> logon.
JW>
JW> When I logon on the Mac with this new user. The password box wiggles
JW> and a box appears underneath it. "Reset your password". Saying I need
JW> to set a new password. So I enter a new password and I verify it. Then
JW> I click "Reset Password" and it wiggle... no matter how many times I
JW> try, it doesn't move on.

I don't have OS X, but every time I create a new test user on linux and log
in to test it, I get bit by the fact that the passwd change always asks for
the existing password first, before asking for the new password. So I have
to enter the original password once to login, once to make passwd happy,
and then enter the new password. Are you sure the dialog box isn't asking
for the existing password first?


Robert

--
Senior Software Engineer @ Parsons
Davis Goodman
2014-03-13 18:12:05 UTC
Permalink
Raw Message
--


Davis Goodman
Directeur Informatique | IT Manager

5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4
Tél: +1 (514) 360-3253 x104 Cell: +1 (514) 994-7360
Post by Robert Story
JW> Now if I create a new user in IPA. It will require a password change on
JW> logon.
JW>
JW> When I logon on the Mac with this new user. The password box wiggles
JW> and a box appears underneath it. "Reset your password". Saying I need
JW> to set a new password. So I enter a new password and I verify it. Then
JW> I click "Reset Password" and it wiggle... no matter how many times I
JW> try, it doesn't move on.
I don't have OS X, but every time I create a new test user on linux and log
in to test it, I get bit by the fact that the passwd change always asks for
the existing password first, before asking for the new password. So I have
to enter the original password once to login, once to make passwd happy,
and then enter the new password. Are you sure the dialog box isn't asking
for the existing password first?
Robert
--
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
Well I still haven’t had any responses since that time.

I wish we could resolve this since it’s the only little bit remaining to have a full FreeIPA integration.

BTW we also integrated sudo-ldap on our OSX machines. The only thing is that you have to upgrade the sudo packages with this one.

sudo-1.8.9p3.pkg

and then:

installer -pkg /prod/sysadmin/darwin/software/sudo/sudo-1.8.9p3.pkg -target /
mv /usr/bin/sudo /usr/bin/sudo.orig
ln -s /usr/local/bin/sudo /usr/bin

then you modify sudo-ldap and nsswitch.conf same thing as on the linux boxes.
--
Davis Goodman
Directeur Informatique | IT Manager

5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4
Tél: +1 (514) 360-3253 x104 Cell: +1 (514) 994-7360
Jason Woods
2014-03-13 18:32:08 UTC
Permalink
Raw Message
Hi
Post by Robert Story
I don't have OS X, but every time I create a new test user on linux and log
in to test it, I get bit by the fact that the passwd change always asks for
the existing password first, before asking for the new password. So I have
to enter the original password once to login, once to make passwd happy,
and then enter the new password. Are you sure the dialog box isn't asking
for the existing password first?
Robert
--
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
Well I still haven’t had any responses since that time.
I wish we could resolve this since it’s the only little bit remaining to have a full FreeIPA integration.
Yeh it's the only thing wrong for me.

To answer Robert's question though - the reset password is a pop up with an arrow to the login and the original password is still there - so I would assume so. Guessing this is gonna need deeper investigation though but I suspect it's more on the Apple side :-(
BTW we also integrated sudo-ldap on our OSX machines. The only thing is that you have to upgrade the sudo packages with this one.
sudo-1.8.9p3.pkg
installer -pkg /prod/sysadmin/darwin/software/sudo/sudo-1.8.9p3.pkg -target /
mv /usr/bin/sudo /usr/bin/sudo.orig
ln -s /usr/local/bin/sudo /usr/bin
then you modify sudo-ldap and nsswitch.conf same thing as on the linux boxes.
--
Davis Goodman
Directeur Informatique | IT Manager
<logo_dd_small.png>
5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4
Tél: +1 (514) 360-3253 x104 Cell: +1 (514) 994-7360
Thanks for that! We've not got around to any sudo and not really needed but it's great to know it's certainly possible and fairly straightforward!

Jason

Loading...