On 28/09/2011, at 12:27 AM, Nalin Dahyabhai wrote:

>> Additionally, it seems some users can reset their passwords, but the error 
>> still appears in the logs, and on the client software:
>> Sep 27 15:08:52 ipa1 kpasswd[2630]: Unsupported version
>> Sep 27 15:09:23 ipa1 kpasswd[2633]: Unsupported version
>> Sep 27 15:09:54 ipa1 kpasswd[2637]: Password change succeeded
> Are the users who can change their passwords using different client
> software (specifically, versions of Kerberos, which supplies the kpasswd
> command) compared to the users who can't?

The only difference I know about is that the users who CAN change their 
passwords have not got an expired password (so they can login and use kpasswd 
from the shell), whereas those who CANNOT change their password need to reset 
it before logging in (i.e., they get the 'your password has expired, reset it 
now etc etc). I updated the kerberos libraries/tools on the CentOS 6.0 box 
using the Continuous Release repository, and then edited the ldap configuration 
to get around 
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=713525 and users 
can now reset their passwords on that box during login and on the shell 
(kpasswd). I'm not sure which of these actually fixed the problem (if any).

I'll continue to keep an eye on it for now. It may be as you say, a version 
difference, although I'm unaware of any large differences in versions between 
the machines, is kerberos very sensitive to version changes?

> If you can get a packet capture of a client request, we can examine the
> first few bytes to check what's triggering the failure.

tcpdump says its a V5 packet. I have captured the entire login/reset failure 
and can email it to you directly if you wish.



ZettaServe Disclaimer: This email and any files transmitted with it are 
confidential and intended solely for the use of the individual or entity to 
whom they are addressed. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately if you have received this email by mistake and delete this email 
from your system. Computer viruses can be transmitted via email. The recipient 
should check this email and any attachments for the presence of viruses. 
ZettaServe Pty Ltd accepts no liability for any damage caused by any virus 
transmitted by this email.

Freeipa-users mailing list

Reply via email to