Michael Kang wrote:


---------- Forwarded message ----------
From: *Michael Kang* <wxi...@gmail.com <mailto:wxi...@gmail.com>>
Date: Fri, Sep 25, 2009 at 4:09 PM
Subject: Re: [Freeipa-users] Problem with Kerberos Authentication
To: Jenny Galipeau <jgali...@redhat.com <mailto:jgali...@redhat.com>>


Dear Jenny Galipeau,

Thank you and Everyone who helped me with this project. Thanks for being patient and answering my questions :)

My problem was solved by using Fedora 11(upgraded completely). FreeIPA may have bugs with Fedora 9.

If I install Fedora 11(not upgrade),then install ipa-server, the Apache crashed many times per seconds. Here is log ouputs:

    /Apache chill pid xxxx exit singal Segmentation fault(11)/

Yes, this was a bug in the original NSS package that shipped with F-11.


After upgrade the whole system, this problem disappeared. Also new user can pass the Kerberos Authentication and login system successfully.

If you want to get the details about bugs on Fedora 9, I could send it for you. Please let me know what do you want.

Fedora 9 isn't supported by Fedora anymore so we don't test on it either.

rob


Thank you again.
Michael


On Thu, Sep 24, 2009 at 8:41 PM, Jenny Galipeau <jgali...@redhat.com <mailto:jgali...@redhat.com>> wrote:

    Hi Michael:

    Let's rule in or out the delegation you added. Can you remove the
    delegation and try it? If it works, I think we may have a bug. If it
    behaves the same, if you could provide more debug info that would be
    great.

    Thanks
    Jenny

    Michael Kang wrote:

        Hi David,

        I reboot the system after I edit the configure file.

        Regard,
        Michael

        On Thu, Sep 24, 2009 at 11:13 AM, David O'Brien
        <dav...@redhat.com <mailto:dav...@redhat.com>
        <mailto:dav...@redhat.com <mailto:dav...@redhat.com>>> wrote:

           Michael,
           did you restart the kdc after you updated the krb5.conf file?

           David

           Michael Kang wrote:

               According to the FreeIPA Client Configure Guide, I realized I
               may miss
               something in my client's krb5.conf. It had been created by
               ipa-client-install script. I never edit it. But there are
        *no*
               *[realms]* and
               *[domain_realm] *in krb5.conf file.

               So I added them, show it below:


                   #File modified by ipa-client-install

                   [libdefaults]
                   default_realm = ARAGON.LOCAL
                   dns_lookup_realm = true
                   dns_lookup_kdc = true
                   ticket_lifetime = 24h
                   forwardable = yes

                   [realms]
                   ARAGON.LOCAL = {
                   kdc = ipa.aragon.local:88
                   admin_server = ipa.aragon.local:749
                   default_domain = aragon.local
                   }

                   [domain_realm]
                   .aragon.local = ARAGON.LOCAL
                   aragon.local = ARAGON.LOCAL

                   [appdefaults]
                   pam = {
                   debug = false
                   ticket_lifetime = 36000
                   renew_lifetime = 36000
                   forwardable = true
                   krb4_convert = false
                   }



               It doesn't work either by using the new krb5.conf.
               *kinit(v5): Password change failed while getting initial
               credentials*

               I'd like to post more detail outputs. Hope it could be
        helpful.


                   [r...@freeipa ~]# kinit admin
                   Password for ad...@aragon.local:
                   [r...@freeipa ~]# klist
                   Ticket cache: FILE:/tmp/krb5cc_0
                   Default principal: ad...@aragon.local

                   Valid starting Expires Service principal
                   09/23/09 22:52:57 09/24/09 22:52:58
                   krbtgt/aragon.lo...@aragon.local


                   Kerberos 4 ticket cache: /tmp/tkt0
                   klist: You have no tickets cached
                   [r...@freeipa ~]# ipa-finduser admin
                   Full Name: Administrator
                   Home Directory: /home/admin
                   Login Shell: /bin/bash
                   Login: admin

                   [r...@freeipa ~]# ipa-finduser haha
                   Full Name: haha haha
                   Home Directory: /home/haha
                   Login Shell: /bin/sh
                   Login: haha



               Regards,
               Michael

               On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang
               <wxi...@gmail.com <mailto:wxi...@gmail.com>
        <mailto:wxi...@gmail.com <mailto:wxi...@gmail.com>>> wrote:


                   Here is client's krb5.conf:

                   #File modified by ipa-client-install

                       [libdefaults]
                       default_realm = ARAGON.LOCAL
                       dns_lookup_realm = true
                       dns_lookup_kdc = true
                       ticket_lifetime = 24h
                       forwardable = yes

                       [appdefaults]
                       pam = {
                       debug = false
                       ticket_lifetime = 36000
                       renew_lifetime = 36000
                       forwardable = true
                       krb4_convert = false
                       }


                   EOF


                   On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau
                   <jgali...@redhat.com <mailto:jgali...@redhat.com>
        <mailto:jgali...@redhat.com <mailto:jgali...@redhat.com>>>wrote:



                       Michael Kang wrote:


                           Dear FreeIPA community,

                           I did try set the new user's initial
        password. But
                           it didn't work either.
                           I got a protocol error.

                           Here is the output of console :

                           [r...@freeipa ~]# kinit admin
                           Password for ad...@aragon.local:
                           [r...@freeipa ~]# ipa-passwd haha
                           Changing password for h...@aragon.local
                           New Password:
                           Confirm Password:
                           [r...@freeipa ~]# kinit haha
                           Password for h...@aragon.local:
                           Password expired. You must change it now.
                           Enter new password:
                           Enter it again:
                           kinit(v5): Requested protocol version not
                           supported while getting
                           initial credentials



                       Sounds like, a Kerberos V4 request was sent to the
                       KDC? What's in the
                       client's krb5.conf?
                       Jenny


                           On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau
                           <jgali...@redhat.com <mailto:jgali...@redhat.com>
                           <mailto:jgali...@redhat.com
        <mailto:jgali...@redhat.com>><mailto:

                           jgali...@redhat.com
        <mailto:jgali...@redhat.com> <mailto:jgali...@redhat.com
        <mailto:jgali...@redhat.com>>>>
                           wrote:

                           Jenny Galipeau wrote:


                           Michael Kang wrote:

                           Dear FreeIPA community,

                           I successfully installed FreeIPA this
        morning. Now
                           I got a
                           problem about Kerberos Authentication. New
        user cannot
                           modify their password in shell.

                           Hi Michael:
                           Did you set the new user's initial password?
                           kinit admin
                           ipa passwd haha
                           Thanks
                           Jenny

                           Also kinit as haha, because haha will be asked to
                           change the
                           password on first authentication.

                           Thanks
                           Jenny


                           I added a new user named /haha(group: ipauser)/
                           based on
                           the webUI. This user is not a existed system
        user.
                           Then I
                           added a new Delegations(allow people in group
                           ipauser can
                           modify password for group ipauser) .

                           /[mich...@freeipa Desktop]$ su - haha/
                           /Password: /

                           /Warning: Your password will expire in less than
                           one hour./
                           /Warning: password has expired./
                           /Kerberos 5 Password: /
                           /Warning: Your password will expire in less than
                           one hour./
                           /New UNIX password: /
                           /Retype new UNIX password: /
                           /su: incorrect password/
                           /[mich...@freeipa Desktop]$ su - root/
                           /Password: /
                           /[r...@freeipa ~]# su - haha/
                           /su: warning: cannot change directory to
                           /home/haha: No
                           such file
                           or directory/
                           /-sh-3.2$ /


                           Root can su - haha successfully. I think that
                           means the
                           Kerberos works, but new user cannot reset their
                           password
                           in their shell.

                           What should I do?

                           Best Regards,
                           Michael

                           -- Michael Kang(康上明学)
                           There is a giant asleep within every man.
        When the
                           giant
                           awakens,miracles happen.

                           Personal blog: http://ufusion.org - United Fusion

------------------------------------------------------------------------

                           _______________________________________________
                           Freeipa-users mailing list
                           Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
                           <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                           <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
                           <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>
https://www.redhat.com/mailman/listinfo/freeipa-users





                           -- Jenny Galipeau <jgali...@redhat.com
        <mailto:jgali...@redhat.com>
                           <mailto:jgali...@redhat.com
        <mailto:jgali...@redhat.com>>
                           <mailto:jgali...@redhat.com
        <mailto:jgali...@redhat.com>

                           <mailto:jgali...@redhat.com
        <mailto:jgali...@redhat.com>>
                           Principal Software QA Engineer
                           Red Hat, Inc. Security Engineering




                           --
                           Michael Kang(康上明学)
                           There is a giant asleep within every man.
        When the
                           giant awakens,miracles
                           happen.

                           Personal blog: http://ufusion.org - United Fusion


                       --
                       Jenny Galipeau <jgali...@redhat.com
        <mailto:jgali...@redhat.com>
                       <mailto:jgali...@redhat.com
        <mailto:jgali...@redhat.com>>>
                       Principal Software QA Engineer
                       Red Hat, Inc. Security Engineering



                   --
                   Michael Kang(康上明学)
                   There is a giant asleep within every man. When the giant
                   awakens,miracles
                   happen.

                   Personal blog: http://ufusion.org - United Fusion





------------------------------------------------------------------------

               _______________________________________________
               Freeipa-users mailing list
               Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
        <mailto:Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>>
               https://www.redhat.com/mailman/listinfo/freeipa-users



           --
           David O'Brien
           IPA Content Author
           Red Hat Asia Pacific
           +61 7 3514 8189

           "The most valuable of all talents is that of never using two
        words
           when
           one will do."
           Thomas Jefferson




-- Michael Kang(康上明学)
        There is a giant asleep within every man. When the giant
        awakens,miracles happen.

        Personal blog: http://ufusion.org - United Fusion



-- Jenny Galipeau <jgali...@redhat.com <mailto:jgali...@redhat.com>>
    Principal Software QA Engineer
    Red Hat, Inc. Security Engineering




--
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles happen.

Personal blog: http://ufusion.org - United Fusion



--
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles happen.

Personal blog: http://ufusion.org - United Fusion


------------------------------------------------------------------------

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to