On Tue, Sep 27, 2011 at 03:24:24PM +0800, Goff, Raal wrote: > My IPA 2.0 master-slave setup has been working fine up until this week when > users started getting problems updating their password due to expiry. Users > get the following error when using kpasswd to update their passwords: > > kinit: krb5_get_init_creds: Unable to reach any changepw server in realm > EXAMPLE.COM > > The only error I seem to find in the logs is unhelpful: > > Sep 27 15:16:12 ipa1 kpasswd[2689]: Unsupported version > Sep 27 15:16:43 ipa1 kpasswd[2692]: Unsupported version
Those correlate - the ipa_kpasswd daemon logs these messages when it sees a password-change request with an internal version number that doesn't match the version of the protocol that it handles. The client gets no reply, and because it's connectionless, it assumes that it was not able to contact a server. > Additionally, it seems some users can reset their passwords, but the error > still appears in the logs, and on the client software: > > Sep 27 15:08:52 ipa1 kpasswd[2630]: Unsupported version > Sep 27 15:09:23 ipa1 kpasswd[2633]: Unsupported version > Sep 27 15:09:54 ipa1 kpasswd[2637]: Password change succeeded Are the users who can change their passwords using different client software (specifically, versions of Kerberos, which supplies the kpasswd command) compared to the users who can't? If you can get a packet capture of a client request, we can examine the first few bytes to check what's triggering the failure. HTH, Nalin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
