Hi, I'm having problems with users accessing their accounts for the first time using SSH. I create their account in FreeIPA and set a (expired) password. Then I have them ssh into one of our computers to setup their password. The connection displays the following:
djsc...@pc35:~$ ssh gu...@pc20 gu...@pc20's password: Warning: Your password will expire in less than one hour. Warning: password has expired. WARNING: Your password has expired. You must change your password now and login again! Changing password for user guser. Kerberos 5 Password: Warning: Your password will expire in less than one hour. New password: Retype new password: passwd: Authentication token manipulation error Connection to pc20 closed. And the password change fails. Here is the relevant section from the Kerberos logfile. There is no entry in the LDAP log in dirsrv. Nov 08 14:48:21 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.20: CLIENT KEY EXPIRED: gu...@example.com for krbtgt/example....@example.com, Password has expired Nov 08 14:48:21 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.20: NEEDED_PREAUTH: gu...@example.com for kadmin/chang...@example.com, Additional pre-authentication required Nov 08 14:48:22 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.20: ISSUE: authtime 1289245702, etypes {rep=18 tkt=18 ses=18}, gu...@example.com for kadmin/chang...@example.com Nov 08 14:48:23 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.20: NEEDED_PREAUTH: gu...@example.com for kadmin/chang...@example.com, Additional pre-authentication required Nov 08 14:48:23 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.20: ISSUE: authtime 1289245703, etypes {rep=18 tkt=18 ses=18}, gu...@example.com for kadmin/chang...@example.com This appears to work fine when using kinit to login for the first time. Shouldn't it work using SSH too? This will be a problem for our remote users, since they have to connect remotely, using SSH. Thanks, Dan Scott _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users