On 28/09/2011, at 12:27 AM, Nalin Dahyabhai wrote: > >> Additionally, it seems some users can reset their passwords, but the error >> still appears in the logs, and on the client software: >> >> Sep 27 15:08:52 ipa1 kpasswd: Unsupported version >> Sep 27 15:09:23 ipa1 kpasswd: Unsupported version >> Sep 27 15:09:54 ipa1 kpasswd: Password change succeeded > > Are the users who can change their passwords using different client > software (specifically, versions of Kerberos, which supplies the kpasswd > command) compared to the users who can't?
The only difference I know about is that the users who CAN change their passwords have not got an expired password (so they can login and use kpasswd from the shell), whereas those who CANNOT change their password need to reset it before logging in (i.e., they get the 'your password has expired, reset it now etc etc). I updated the kerberos libraries/tools on the CentOS 6.0 box using the Continuous Release repository, and then edited the ldap configuration to get around https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=713525 and users can now reset their passwords on that box during login and on the shell (kpasswd). I'm not sure which of these actually fixed the problem (if any). I'll continue to keep an eye on it for now. It may be as you say, a version difference, although I'm unaware of any large differences in versions between the machines, is kerberos very sensitive to version changes? > > If you can get a packet capture of a client request, we can examine the > first few bytes to check what's triggering the failure. > tcpdump says its a V5 packet. I have captured the entire login/reset failure and can email it to you directly if you wish. Thanks, Raal ZettaServe Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this email by mistake and delete this email from your system. Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. ZettaServe Pty Ltd accepts no liability for any damage caused by any virus transmitted by this email. _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users