Hello all,

I cannot change a expired user password while behind a NAT.
The error I get is:

kpasswd[6756]: Failed to decrypt password: Incorrect net address

I believe this is a kerberos limitation due to the difference between the host ip adress enclosed in the ticket - the host's rfc1918 address - and the address used to communicate with the server - the router's address. This setup is very common @home

There must be a way to disable the verification for kpasswd since it works for other services. But it may have been set for security purposes, so disabling it may introduce some flaws.

I know that ipa passwd can set the password by calling a special method through xmlrpc, but if the client has no credential, he must retrieve one - with kinit - before calling this method. And kinit will ask to change the password.

My problem is, how can I handle the case where a user has a expired password and is behind a NAT?

Thanks for all

Marc




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to