John Robert Mendoza wrote:
Hi to all,

I currently have setup a freeipa server on a virtual machine and have some issues I just want to be cleared with.

My setup is as follows:

I have tweaked the /etc/hosts file to register the hostname and ip address of the machine to where I have installed the server.

Then, I installed the ipa server from yum and have successfully created my realm and directory server. I have used the -N option to disable the configuration and installation of the NTP server. I have configured the /etc/ntp.conf to synchronize the time with our own ntp server. After the installation, I configured the browser to enable the webgui. I have successfully done this, and have accessed the administrator page after obtaining the admin ticket. Now I tried to create a test user. This test user has sufficient required entries for an account to be created. Now that the user is existing, the page issued that the users password has expired. I know this is a security feature. I then tried to kinit with the test user, it asked for the password and I, in return, supplied the password from which is identical from the password I supplied during the creation of the test user. Kinit outputs with an error kinit(v5): Password incorrect while getting initial credentials.

I looked up for the krb5kdc.log and found these:
Jul 29 10:40:06 krb5kdc[1478](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) CLIENT KEY EXPIRED: for krbtgt/, Password has expired.

I just X'ed out our realm and the hostname of the machine.
Isn't it that the password that was supplied during the registration of a user is supposed to be his kerberos password too?

Yes, this password expired message is expected.

Immediately after this message you should see a NEEDED_PREAUTH for kadmin/chang...@realm, basically asking for the current password. Does the password work if you do a simple bind to LDAP?

e.g. something like this to search for a login 'tuser'

% ldapsearch -x -D "uid=tuser,cn=users,cn=accounts,dc=example,dc=com" -W -b "dc=example,dc=com" uid=tuser


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Freeipa-users mailing list

Reply via email to