Hi,
On Sat, Jan 7, 2023 at 12:45 AM Tom Spettigue via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hey all -
I'm having an issue whereby password resets for users don't appear to be
working... fully. It's odd because, if, through the web interface, I click
"Actions", and then "Reset Password", and set it to some temporary
password, I can then login to an IPA client server with that password. That
server then prompts me to reset the user's password - confirming, to me,
that the password reset "signal" has indeed been sent to that server. I
then do the password reset, and can then log into that AND OTHER client
servers with that password, suggesting that the password reset has worked!
BUT. When I try to connect to that user via LDAP, using that same
password, I get "Invalid credentials (49)". Further, if I try a `kinit
$USER` from any of those CLIENT servers, and punch in the password, it
seems fine! But whenever I try the SAME `kinit $user` command from the IPA
servers, I get `kinit: Password incorrect while getting initial
credentials`, which is... deeply troubling, to say the least.
What on Earth is going on?
Can you check the version of 389-ds installed on your servers? Is it the
same everywhere?
We recently saw an issue if some of the 389ds servers are upgraded and use
PBKDF2_SHA512 as password storage scheme and some older servers don't
support this version.
The following versions switched to PBKDF2_SHA512 (on fedora):
- 389-ds-base-2.1.6
- 389-ds-base-2.0.17
- 389-ds-base-1.4.3-32
To check the default password storage scheme on a given server:
ldapsearch -LLL -o ldif-wrap=no -D cn=directory\ manager -W -b cn=config -s
base passwordStorageScheme
Enter LDAP Password:
dn: cn=config
passwordStorageScheme: *PBKDF2_SHA256*
To check the list of supported password storage schemes on a given server:
ldapsearch -LLL -o ldif-wrap=no -D cn=directory\ manager -W -b "cn=Password
Storage Schemes,cn=plugins,cn=config" dn
To check the password storage scheme for a given user:
ldapsearch -LLL -o ldif-wrap=no -D cn=directory\ manager -W -b
uid=mytestuser,cn=users,cn=accounts,dc=ipa,dc=test userpassword | grep
userpassword | cut -d' ' -f 2| base64 -d
Enter LDAP Password:
{*PBKDF2_SHA256*
}AAAIAIIDz/Q4OmrblsUD/o7hXRH53bNZtFEVuBmC9o5V2LyVuQ3rmLK336P28QkixVAOZeRLSM1Wi7+If139ezhyJEXq3JXvKfyxXZiAlDDk8EbxbhyyRsazEJuqHAdOucOjJJ3csXkqp63VWlk7K8PFz/N9cftYiWKLVNHbp+2p+VFOQT56PJmqdt3yNzwulppEkLScnTc9+8pNaebFJQCJuhsbvOmigop+vK3SyPoxGmRqE3S3kRHptbdHUSvle1bvzGegforPJHbhl0NNU8Nt8waPwS+/agfMq8cQ7M4lCFviiKN/FlcAlApieedfXAPWOFrVPQT6czAu62w/s29yIh14vvsL91OCYkjkJqDAHm2b10Nfe8uoW2Edn/2IbvMLlyDaiMBuEpTGKSwNZxIFWF3h0fvCV7DBBVtTPHLb+Y9U
In my example the scheme is PBKDF2_SHA256, which is supported on all my IPA
servers. If the scheme for your user is PBKDF2_SHA512 then you may be
hitting the issue.
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue