Michael,
did you restart the kdc after you updated the krb5.conf file?

David

Michael Kang wrote:
According to the FreeIPA Client Configure Guide, I realized I may miss
something in my client's krb5.conf. It had been created by
ipa-client-install script. I never edit it. But there are *no* *[realms]* and
*[domain_realm] *in krb5.conf file.

So I added them, show it below:

#File modified by ipa-client-install

[libdefaults]
  default_realm = ARAGON.LOCAL
  dns_lookup_realm = true
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = yes

[realms]
ARAGON.LOCAL = {
    kdc = ipa.aragon.local:88
    admin_server = ipa.aragon.local:749
    default_domain = aragon.local
    }

[domain_realm]
.aragon.local = ARAGON.LOCAL
aragon.local = ARAGON.LOCAL

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }


It doesn't work either by using the new krb5.conf.
*kinit(v5): Password change failed while getting initial credentials*

I'd like to post more detail outputs. Hope it could be helpful.

[r...@freeipa ~]# kinit admin
Password for ad...@aragon.local:
[r...@freeipa ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@aragon.local

Valid starting     Expires            Service principal
09/23/09 22:52:57  09/24/09 22:52:58  krbtgt/aragon.lo...@aragon.local


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[r...@freeipa ~]# ipa-finduser admin
Full Name: Administrator
Home Directory: /home/admin
Login Shell: /bin/bash
Login: admin

[r...@freeipa ~]# ipa-finduser haha
Full Name: haha haha
Home Directory: /home/haha
Login Shell: /bin/sh
Login: haha


Regards,
Michael

On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang <wxi...@gmail.com>  wrote:

Here is client's krb5.conf:

#File modified by ipa-client-install
[libdefaults]
  default_realm = ARAGON.LOCAL
  dns_lookup_realm = true
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = yes

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }

EOF


On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau <jgali...@redhat.com>wrote:

Michael Kang wrote:

Dear FreeIPA community,

I did try set the new user's initial password. But it didn't work either.
I got a protocol error.

Here is the output of console :

   [r...@freeipa ~]# kinit admin
   Password for ad...@aragon.local:
   [r...@freeipa ~]# ipa-passwd haha
   Changing password for h...@aragon.local
   New Password:
   Confirm Password:
   [r...@freeipa ~]# kinit haha
   Password for h...@aragon.local:
   Password expired. You must change it now.
   Enter new password:
   Enter it again:
   kinit(v5): Requested protocol version not supported while getting
   initial credentials


Sounds like, a Kerberos V4 request was sent to the KDC? What's in the
client's krb5.conf?
Jenny

On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau <jgali...@redhat.com<mailto:
jgali...@redhat.com>> wrote:

   Jenny Galipeau wrote:


       Michael Kang wrote:

           Dear FreeIPA community,

           I successfully installed FreeIPA this morning. Now I got a
           problem about Kerberos Authentication. New user cannot
           modify their password in shell.

       Hi Michael:
       Did you set the new user's initial password?
       kinit admin
       ipa passwd haha
       Thanks
       Jenny

   Also kinit as haha, because haha will be asked to change the
   password on first authentication.

   Thanks
   Jenny


           I added a new user named /haha(group: ipauser)/ based on
           the webUI. This user is not a existed system user. Then I
           added a new Delegations(allow people in group ipauser can
           modify password for group ipauser) .

           /[mich...@freeipa Desktop]$ su - haha/
           /Password: /

           /Warning: Your password will expire in less than one hour./
           /Warning: password has expired./
           /Kerberos 5 Password: /
           /Warning: Your password will expire in less than one hour./
           /New UNIX password: /
           /Retype new UNIX password: /
           /su: incorrect password/
           /[mich...@freeipa Desktop]$ su - root/
           /Password: /
           /[r...@freeipa ~]# su - haha/
           /su: warning: cannot change directory to /home/haha: No
           such file
           or directory/
           /-sh-3.2$ /


           Root can su - haha successfully. I think that means the
           Kerberos works, but new user cannot reset their password
           in their shell.

           What should I do?

           Best Regards,
           Michael

           --            Michael Kang(康上明学)
           There is a giant asleep within every man. When the giant
           awakens,miracles happen.

           Personal blog: http://ufusion.org - United Fusion

 ------------------------------------------------------------------------

           _______________________________________________
           Freeipa-users mailing list
           Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
           https://www.redhat.com/mailman/listinfo/freeipa-users





   --    Jenny Galipeau <jgali...@redhat.com <mailto:jgali...@redhat.com
Principal Software QA Engineer
   Red Hat, Inc. Security Engineering




--
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles
happen.

Personal blog: http://ufusion.org - United Fusion

--
Jenny Galipeau <jgali...@redhat.com>
Principal Software QA Engineer
Red Hat, Inc. Security Engineering


--
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles
happen.

Personal blog: http://ufusion.org - United Fusion




------------------------------------------------------------------------

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


--

David O'Brien
IPA Content Author
Red Hat Asia Pacific
+61 7 3514 8189

"The most valuable of all talents is that of never using two words when
one will do."
Thomas Jefferson
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to