On 09/28/2011 02:49 AM, Goff, Raal wrote:
> On 28/09/2011, at 12:27 AM, Nalin Dahyabhai wrote:
>>> Additionally, it seems some users can reset their passwords, but the error
>>> still appears in the logs, and on the client software:
>>> Sep 27 15:08:52 ipa1 kpasswd: Unsupported version
>>> Sep 27 15:09:23 ipa1 kpasswd: Unsupported version
>>> Sep 27 15:09:54 ipa1 kpasswd: Password change succeeded
>> Are the users who can change their passwords using different client
>> software (specifically, versions of Kerberos, which supplies the kpasswd
>> command) compared to the users who can't?
> The only difference I know about is that the users who CAN change their
> passwords have not got an expired password (so they can login and use kpasswd
> from the shell), whereas those who CANNOT change their password need to reset
> it before logging in (i.e., they get the 'your password has expired, reset it
> now etc etc). I updated the kerberos libraries/tools on the CentOS 6.0 box
> using the Continuous Release repository, and then edited the ldap
> configuration to get around
> https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=713525 and users
> can now reset their passwords on that box during login and on the shell
> (kpasswd). I'm not sure which of these actually fixed the problem (if any).
> I'll continue to keep an eye on it for now. It may be as you say, a version
> difference, although I'm unaware of any large differences in versions between
> the machines, is kerberos very sensitive to version changes?
No. The biggest change was dropping support for v4 protocol couple years
ago. That in some cases required regeneration of the keytabs. Other than
that it is extremely stable.
>> If you can get a packet capture of a client request, we can examine the
>> first few bytes to check what's triggering the failure.
> tcpdump says its a V5 packet. I have captured the entire login/reset failure
> and can email it to you directly if you wish.
Yes please send them to Nalin.
It is worth taking a look.
> ZettaServe Disclaimer: This email and any files transmitted with it are
> confidential and intended solely for the use of the individual or entity to
> whom they are addressed. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately if you have received this email by mistake and delete this email
> from your system. Computer viruses can be transmitted via email. The
> recipient should check this email and any attachments for the presence of
> viruses. ZettaServe Pty Ltd accepts no liability for any damage caused by any
> virus transmitted by this email.
> Freeipa-users mailing list
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list