Here is client's krb5.conf:

#File modified by ipa-client-install
>
> [libdefaults]
>   default_realm = ARAGON.LOCAL
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   ticket_lifetime = 24h
>   forwardable = yes
>
> [appdefaults]
>   pam = {
>     debug = false
>     ticket_lifetime = 36000
>     renew_lifetime = 36000
>     forwardable = true
>     krb4_convert = false
>   }
>

EOF

On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau <jgali...@redhat.com> wrote:

> Michael Kang wrote:
>
>> Dear FreeIPA community,
>>
>> I did try set the new user's initial password. But it didn't work either.
>> I got a protocol error.
>>
>> Here is the output of console :
>>
>>    [r...@freeipa ~]# kinit admin
>>    Password for ad...@aragon.local:
>>    [r...@freeipa ~]# ipa-passwd haha
>>    Changing password for h...@aragon.local
>>    New Password:
>>    Confirm Password:
>>    [r...@freeipa ~]# kinit haha
>>    Password for h...@aragon.local:
>>    Password expired. You must change it now.
>>    Enter new password:
>>    Enter it again:
>>    kinit(v5): Requested protocol version not supported while getting
>>    initial credentials
>>
>>
> Sounds like, a Kerberos V4 request was sent to the KDC? What's in the
> client's krb5.conf?
> Jenny
>
>>
>>
>> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau <jgali...@redhat.com<mailto:
>> jgali...@redhat.com>> wrote:
>>
>>    Jenny Galipeau wrote:
>>
>>
>>        Michael Kang wrote:
>>
>>            Dear FreeIPA community,
>>
>>            I successfully installed FreeIPA this morning. Now I got a
>>            problem about Kerberos Authentication. New user cannot
>>            modify their password in shell.
>>
>>        Hi Michael:
>>        Did you set the new user's initial password?
>>        kinit admin
>>        ipa passwd haha
>>        Thanks
>>        Jenny
>>
>>    Also kinit as haha, because haha will be asked to change the
>>    password on first authentication.
>>
>>    Thanks
>>    Jenny
>>
>>
>>            I added a new user named /haha(group: ipauser)/ based on
>>            the webUI. This user is not a existed system user. Then I
>>            added a new Delegations(allow people in group ipauser can
>>            modify password for group ipauser) .
>>
>>            /[mich...@freeipa Desktop]$ su - haha/
>>            /Password: /
>>
>>            /Warning: Your password will expire in less than one hour./
>>            /Warning: password has expired./
>>            /Kerberos 5 Password: /
>>            /Warning: Your password will expire in less than one hour./
>>            /New UNIX password: /
>>            /Retype new UNIX password: /
>>            /su: incorrect password/
>>            /[mich...@freeipa Desktop]$ su - root/
>>            /Password: /
>>            /[r...@freeipa ~]# su - haha/
>>            /su: warning: cannot change directory to /home/haha: No
>>            such file
>>            or directory/
>>            /-sh-3.2$ /
>>
>>
>>            Root can su - haha successfully. I think that means the
>>            Kerberos works, but new user cannot reset their password
>>            in their shell.
>>
>>            What should I do?
>>
>>            Best Regards,
>>            Michael
>>
>>            --            Michael Kang(康上明学)
>>            There is a giant asleep within every man. When the giant
>>            awakens,miracles happen.
>>
>>            Personal blog: http://ufusion.org - United Fusion
>>
>>  ------------------------------------------------------------------------
>>
>>            _______________________________________________
>>            Freeipa-users mailing list
>>            Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
>>            https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>>
>>
>>    --    Jenny Galipeau <jgali...@redhat.com <mailto:jgali...@redhat.com
>> >>
>>    Principal Software QA Engineer
>>    Red Hat, Inc. Security Engineering
>>
>>
>>
>>
>> --
>> Michael Kang(康上明学)
>> There is a giant asleep within every man. When the giant awakens,miracles
>> happen.
>>
>> Personal blog: http://ufusion.org - United Fusion
>>
>
>
> --
> Jenny Galipeau <jgali...@redhat.com>
> Principal Software QA Engineer
> Red Hat, Inc. Security Engineering
>
>


-- 
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles
happen.

Personal blog: http://ufusion.org - United Fusion
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to