Here is client's krb5.conf: #File modified by ipa-client-install > > [libdefaults] > default_realm = ARAGON.LOCAL > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } >
EOF On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau <jgali...@redhat.com> wrote: > Michael Kang wrote: > >> Dear FreeIPA community, >> >> I did try set the new user's initial password. But it didn't work either. >> I got a protocol error. >> >> Here is the output of console : >> >> [r...@freeipa ~]# kinit admin >> Password for ad...@aragon.local: >> [r...@freeipa ~]# ipa-passwd haha >> Changing password for h...@aragon.local >> New Password: >> Confirm Password: >> [r...@freeipa ~]# kinit haha >> Password for h...@aragon.local: >> Password expired. You must change it now. >> Enter new password: >> Enter it again: >> kinit(v5): Requested protocol version not supported while getting >> initial credentials >> >> > Sounds like, a Kerberos V4 request was sent to the KDC? What's in the > client's krb5.conf? > Jenny > >> >> >> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau <jgali...@redhat.com<mailto: >> jgali...@redhat.com>> wrote: >> >> Jenny Galipeau wrote: >> >> >> Michael Kang wrote: >> >> Dear FreeIPA community, >> >> I successfully installed FreeIPA this morning. Now I got a >> problem about Kerberos Authentication. New user cannot >> modify their password in shell. >> >> Hi Michael: >> Did you set the new user's initial password? >> kinit admin >> ipa passwd haha >> Thanks >> Jenny >> >> Also kinit as haha, because haha will be asked to change the >> password on first authentication. >> >> Thanks >> Jenny >> >> >> I added a new user named /haha(group: ipauser)/ based on >> the webUI. This user is not a existed system user. Then I >> added a new Delegations(allow people in group ipauser can >> modify password for group ipauser) . >> >> /[mich...@freeipa Desktop]$ su - haha/ >> /Password: / >> >> /Warning: Your password will expire in less than one hour./ >> /Warning: password has expired./ >> /Kerberos 5 Password: / >> /Warning: Your password will expire in less than one hour./ >> /New UNIX password: / >> /Retype new UNIX password: / >> /su: incorrect password/ >> /[mich...@freeipa Desktop]$ su - root/ >> /Password: / >> /[r...@freeipa ~]# su - haha/ >> /su: warning: cannot change directory to /home/haha: No >> such file >> or directory/ >> /-sh-3.2$ / >> >> >> Root can su - haha successfully. I think that means the >> Kerberos works, but new user cannot reset their password >> in their shell. >> >> What should I do? >> >> Best Regards, >> Michael >> >> -- Michael Kang(康上明学) >> There is a giant asleep within every man. When the giant >> awakens,miracles happen. >> >> Personal blog: http://ufusion.org - United Fusion >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> >> >> -- Jenny Galipeau <jgali...@redhat.com <mailto:jgali...@redhat.com >> >> >> Principal Software QA Engineer >> Red Hat, Inc. Security Engineering >> >> >> >> >> -- >> Michael Kang(康上明学) >> There is a giant asleep within every man. When the giant awakens,miracles >> happen. >> >> Personal blog: http://ufusion.org - United Fusion >> > > > -- > Jenny Galipeau <jgali...@redhat.com> > Principal Software QA Engineer > Red Hat, Inc. Security Engineering > > -- Michael Kang(康上明学) There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users