Michael,
did you restart the kdc after you updated the krb5.conf file?
David
Michael Kang wrote:
According to the FreeIPA Client Configure Guide, I realized I may miss
something in my client's krb5.conf. It had been created by
ipa-client-install script. I never edit it. But there are *no* *[realms]* and
*[domain_realm] *in krb5.conf file.
So I added them, show it below:
#File modified by ipa-client-install
[libdefaults]
default_realm = ARAGON.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
ARAGON.LOCAL = {
kdc = ipa.aragon.local:88
admin_server = ipa.aragon.local:749
default_domain = aragon.local
}
[domain_realm]
.aragon.local = ARAGON.LOCAL
aragon.local = ARAGON.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
It doesn't work either by using the new krb5.conf.
*kinit(v5): Password change failed while getting initial credentials*
I'd like to post more detail outputs. Hope it could be helpful.
[r...@freeipa ~]# kinit admin
Password for ad...@aragon.local:
[r...@freeipa ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@aragon.local
Valid starting Expires Service principal
09/23/09 22:52:57 09/24/09 22:52:58 krbtgt/aragon.lo...@aragon.local
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[r...@freeipa ~]# ipa-finduser admin
Full Name: Administrator
Home Directory: /home/admin
Login Shell: /bin/bash
Login: admin
[r...@freeipa ~]# ipa-finduser haha
Full Name: haha haha
Home Directory: /home/haha
Login Shell: /bin/sh
Login: haha
Regards,
Michael
On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang <wxi...@gmail.com> wrote:
Here is client's krb5.conf:
#File modified by ipa-client-install
[libdefaults]
default_realm = ARAGON.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
EOF
On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau <jgali...@redhat.com>wrote:
Michael Kang wrote:
Dear FreeIPA community,
I did try set the new user's initial password. But it didn't work either.
I got a protocol error.
Here is the output of console :
[r...@freeipa ~]# kinit admin
Password for ad...@aragon.local:
[r...@freeipa ~]# ipa-passwd haha
Changing password for h...@aragon.local
New Password:
Confirm Password:
[r...@freeipa ~]# kinit haha
Password for h...@aragon.local:
Password expired. You must change it now.
Enter new password:
Enter it again:
kinit(v5): Requested protocol version not supported while getting
initial credentials
Sounds like, a Kerberos V4 request was sent to the KDC? What's in the
client's krb5.conf?
Jenny
On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau <jgali...@redhat.com<mailto:
jgali...@redhat.com>> wrote:
Jenny Galipeau wrote:
Michael Kang wrote:
Dear FreeIPA community,
I successfully installed FreeIPA this morning. Now I got a
problem about Kerberos Authentication. New user cannot
modify their password in shell.
Hi Michael:
Did you set the new user's initial password?
kinit admin
ipa passwd haha
Thanks
Jenny
Also kinit as haha, because haha will be asked to change the
password on first authentication.
Thanks
Jenny
I added a new user named /haha(group: ipauser)/ based on
the webUI. This user is not a existed system user. Then I
added a new Delegations(allow people in group ipauser can
modify password for group ipauser) .
/[mich...@freeipa Desktop]$ su - haha/
/Password: /
/Warning: Your password will expire in less than one hour./
/Warning: password has expired./
/Kerberos 5 Password: /
/Warning: Your password will expire in less than one hour./
/New UNIX password: /
/Retype new UNIX password: /
/su: incorrect password/
/[mich...@freeipa Desktop]$ su - root/
/Password: /
/[r...@freeipa ~]# su - haha/
/su: warning: cannot change directory to /home/haha: No
such file
or directory/
/-sh-3.2$ /
Root can su - haha successfully. I think that means the
Kerberos works, but new user cannot reset their password
in their shell.
What should I do?
Best Regards,
Michael
-- Michael Kang(康上明学)
There is a giant asleep within every man. When the giant
awakens,miracles happen.
Personal blog: http://ufusion.org - United Fusion
------------------------------------------------------------------------
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
-- Jenny Galipeau <jgali...@redhat.com <mailto:jgali...@redhat.com
Principal Software QA Engineer
Red Hat, Inc. Security Engineering
--
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles
happen.
Personal blog: http://ufusion.org - United Fusion
--
Jenny Galipeau <jgali...@redhat.com>
Principal Software QA Engineer
Red Hat, Inc. Security Engineering
--
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles
happen.
Personal blog: http://ufusion.org - United Fusion
------------------------------------------------------------------------
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
David O'Brien
IPA Content Author
Red Hat Asia Pacific
+61 7 3514 8189
"The most valuable of all talents is that of never using two words when
one will do."
Thomas Jefferson
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users