Hi Mike, > This very likely means that your Kerberos layer / service stack is broken. > > Do you have libpam-krb5 installed on TJENER? (That would be an easy solution).
Nope, it was not installed. Maybe my legacy installation is not needing it? I installed it but things did not improve. > Does the new user object in LDAP have krb* LDAP attributes? Yep, I found 9 entires: krbPrincipalName: mm@INTERN krbPwdPolicyReference: cn=users,cn=INTERN,cn=kerberos,dc=skole,dc=skolelinux,dc=no krbLoginFailedCount: 0 krbTicketFlags: 128 krbPrincipalKey:: AwIBAqMDAgEBpIICPjCCAjowVKAHMAWgAwIBAKFJMEeg[...] krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20240105153122Z krbExtraData:: AALKIJhlcm9vdC9hZG1pbkBJTlRFUk4A krbExtraData:: AAgBAA== > If you launch kadmin.local and then enter "list_principals": do any > Kerberos principals (users and/or hosts and/or services) get shown? Do > the user accounts that fail login get listed by this? Yep, they get all nicely listed. > If the new LDAP users don't get listed, try "add_princ -policy users > <uid>" and try login from another tty. > > If the new LDAP users get listed, try to set their password using "cpw <uid>". I did this but the user still can't login. > Please also let me/us know what versions of Debian Edu you have > installed (11 or 12)? This one is my personal debian edu workstation and testserver. It's rather legacy and still on 10 (buster) with GOsa 2.7.4. > If 12, have you upgraded to latest package > versions? There was a bug in Debian Edu 12's debian-edu-config that > only got resolved recently: > > ``` > debian-edu-config (2.12.41~deb12u1) bookworm; urgency=medium > > * Upload to bookworm. > > -- Mike Gabriel <sunwea...@debian.org> Sun, 03 Dec 2023 08:45:42 +0100 > > debian-edu-config (2.12.41) unstable; urgency=medium > > [ Guido Berhoerster ] > * gosa-sync: Decode the user password which GOsa substitutes base64 > encoded. > This fixes a bug where the user password could not be set or changed. > (related to #1052159). > > -- Mike Gabriel <sunwea...@debian.org> Fri, 01 Dec 2023 21:44:38 +0100 > ``` > > This fix in d-e-c goes together with a fix in gosa: d-e-c? > ``` > gosa (2.8~git20230203.10abe45+dfsg-1+deb12u2) bookworm; urgency=medium > > [ Daniel Teichmann ] > * debian/patches: > [...] > + Add 1044_fix-class-ldap-serialization.patch which fixes a few bugs > regarding serialization. This especially fixes setting LDAP > userPassword > attribute types via GOsa². (Closes: #1052159). > + Add 1045_fix-posixaccount-shadowExpire.patch which fixes shadowExpire > always being set to 0. (User can't login then). (Closes: #1053806). > > [ Guido Berhoerster ] > * debian/patches: > [...] > > [ Mike Gabriel ] > * debian/patches: > [...] > > -- Mike Gabriel <sunwea...@debian.org> Sun, 03 Dec 2023 08:16:31 +0100 > > If you Debian Edu 12, simply upgrading d-e-c and gosa to the > referenced versions should help. > > Mike Kind regards, Roman