Hi Michael:

Let's rule in or out the delegation you added. Can you remove the delegation and try it? If it works, I think we may have a bug. If it behaves the same, if you could provide more debug info that would be great.


Thanks
Jenny

Michael Kang wrote:
Hi David,

I reboot the system after I edit the configure file.

Regard,
Michael

On Thu, Sep 24, 2009 at 11:13 AM, David O'Brien <dav...@redhat.com <mailto:dav...@redhat.com>> wrote:

    Michael,
    did you restart the kdc after you updated the krb5.conf file?

    David

    Michael Kang wrote:

        According to the FreeIPA Client Configure Guide, I realized I
        may miss
        something in my client's krb5.conf. It had been created by
        ipa-client-install script. I never edit it. But there are *no*
        *[realms]* and
        *[domain_realm] *in krb5.conf file.

        So I added them, show it below:


            #File modified by ipa-client-install

            [libdefaults]
            default_realm = ARAGON.LOCAL
            dns_lookup_realm = true
            dns_lookup_kdc = true
            ticket_lifetime = 24h
            forwardable = yes

            [realms]
            ARAGON.LOCAL = {
            kdc = ipa.aragon.local:88
            admin_server = ipa.aragon.local:749
            default_domain = aragon.local
            }

            [domain_realm]
            .aragon.local = ARAGON.LOCAL
            aragon.local = ARAGON.LOCAL

            [appdefaults]
            pam = {
            debug = false
            ticket_lifetime = 36000
            renew_lifetime = 36000
            forwardable = true
            krb4_convert = false
            }



        It doesn't work either by using the new krb5.conf.
        *kinit(v5): Password change failed while getting initial
        credentials*

        I'd like to post more detail outputs. Hope it could be helpful.


            [r...@freeipa ~]# kinit admin
            Password for ad...@aragon.local:
            [r...@freeipa ~]# klist
            Ticket cache: FILE:/tmp/krb5cc_0
            Default principal: ad...@aragon.local

            Valid starting Expires Service principal
            09/23/09 22:52:57 09/24/09 22:52:58
            krbtgt/aragon.lo...@aragon.local


            Kerberos 4 ticket cache: /tmp/tkt0
            klist: You have no tickets cached
            [r...@freeipa ~]# ipa-finduser admin
            Full Name: Administrator
            Home Directory: /home/admin
            Login Shell: /bin/bash
            Login: admin

            [r...@freeipa ~]# ipa-finduser haha
            Full Name: haha haha
            Home Directory: /home/haha
            Login Shell: /bin/sh
            Login: haha



        Regards,
        Michael

        On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang
        <wxi...@gmail.com <mailto:wxi...@gmail.com>> wrote:


            Here is client's krb5.conf:

            #File modified by ipa-client-install

                [libdefaults]
                default_realm = ARAGON.LOCAL
                dns_lookup_realm = true
                dns_lookup_kdc = true
                ticket_lifetime = 24h
                forwardable = yes

                [appdefaults]
                pam = {
                debug = false
                ticket_lifetime = 36000
                renew_lifetime = 36000
                forwardable = true
                krb4_convert = false
                }


            EOF


            On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau
            <jgali...@redhat.com <mailto:jgali...@redhat.com>>wrote:


                Michael Kang wrote:


                    Dear FreeIPA community,

                    I did try set the new user's initial password. But
                    it didn't work either.
                    I got a protocol error.

                    Here is the output of console :

                    [r...@freeipa ~]# kinit admin
                    Password for ad...@aragon.local:
                    [r...@freeipa ~]# ipa-passwd haha
                    Changing password for h...@aragon.local
                    New Password:
                    Confirm Password:
                    [r...@freeipa ~]# kinit haha
                    Password for h...@aragon.local:
                    Password expired. You must change it now.
                    Enter new password:
                    Enter it again:
                    kinit(v5): Requested protocol version not
                    supported while getting
                    initial credentials



                Sounds like, a Kerberos V4 request was sent to the
                KDC? What's in the
                client's krb5.conf?
                Jenny


                    On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau
                    <jgali...@redhat.com
                    <mailto:jgali...@redhat.com><mailto:
                    jgali...@redhat.com <mailto:jgali...@redhat.com>>>
                    wrote:

                    Jenny Galipeau wrote:


                    Michael Kang wrote:

                    Dear FreeIPA community,

                    I successfully installed FreeIPA this morning. Now
                    I got a
                    problem about Kerberos Authentication. New user cannot
                    modify their password in shell.

                    Hi Michael:
                    Did you set the new user's initial password?
                    kinit admin
                    ipa passwd haha
                    Thanks
                    Jenny

                    Also kinit as haha, because haha will be asked to
                    change the
                    password on first authentication.

                    Thanks
                    Jenny


                    I added a new user named /haha(group: ipauser)/
                    based on
                    the webUI. This user is not a existed system user.
                    Then I
                    added a new Delegations(allow people in group
                    ipauser can
                    modify password for group ipauser) .

                    /[mich...@freeipa Desktop]$ su - haha/
                    /Password: /

                    /Warning: Your password will expire in less than
                    one hour./
                    /Warning: password has expired./
                    /Kerberos 5 Password: /
                    /Warning: Your password will expire in less than
                    one hour./
                    /New UNIX password: /
                    /Retype new UNIX password: /
                    /su: incorrect password/
                    /[mich...@freeipa Desktop]$ su - root/
                    /Password: /
                    /[r...@freeipa ~]# su - haha/
                    /su: warning: cannot change directory to
                    /home/haha: No
                    such file
                    or directory/
                    /-sh-3.2$ /


                    Root can su - haha successfully. I think that
                    means the
                    Kerberos works, but new user cannot reset their
                    password
                    in their shell.

                    What should I do?

                    Best Regards,
                    Michael

                    -- Michael Kang(康上明学)
                    There is a giant asleep within every man. When the
                    giant
                    awakens,miracles happen.

                    Personal blog: http://ufusion.org - United Fusion

                    
------------------------------------------------------------------------

                    _______________________________________________
                    Freeipa-users mailing list
                    Freeipa-users@redhat.com
                    <mailto:Freeipa-users@redhat.com>
                    <mailto:Freeipa-users@redhat.com
                    <mailto:Freeipa-users@redhat.com>>
                    https://www.redhat.com/mailman/listinfo/freeipa-users





                    -- Jenny Galipeau <jgali...@redhat.com
                    <mailto:jgali...@redhat.com>
                    <mailto:jgali...@redhat.com
                    <mailto:jgali...@redhat.com>
                    Principal Software QA Engineer
                    Red Hat, Inc. Security Engineering




                    --
                    Michael Kang(康上明学)
                    There is a giant asleep within every man. When the
                    giant awakens,miracles
                    happen.

                    Personal blog: http://ufusion.org - United Fusion


                --
                Jenny Galipeau <jgali...@redhat.com
                <mailto:jgali...@redhat.com>>
                Principal Software QA Engineer
                Red Hat, Inc. Security Engineering



            --
            Michael Kang(康上明学)
            There is a giant asleep within every man. When the giant
            awakens,miracles
            happen.

            Personal blog: http://ufusion.org - United Fusion





        ------------------------------------------------------------------------

        _______________________________________________
        Freeipa-users mailing list
        Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
        https://www.redhat.com/mailman/listinfo/freeipa-users



--
    David O'Brien
    IPA Content Author
    Red Hat Asia Pacific
    +61 7 3514 8189

    "The most valuable of all talents is that of never using two words
    when
    one will do."
    Thomas Jefferson




--
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles happen.

Personal blog: http://ufusion.org - United Fusion


--
Jenny Galipeau <jgali...@redhat.com>
Principal Software QA Engineer
Red Hat, Inc. Security Engineering

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to