On 09/28/2011 02:49 AM, Goff, Raal wrote: > On 28/09/2011, at 12:27 AM, Nalin Dahyabhai wrote: > >>> Additionally, it seems some users can reset their passwords, but the error >>> still appears in the logs, and on the client software: >>> >>> Sep 27 15:08:52 ipa1 kpasswd[2630]: Unsupported version >>> Sep 27 15:09:23 ipa1 kpasswd[2633]: Unsupported version >>> Sep 27 15:09:54 ipa1 kpasswd[2637]: Password change succeeded >> Are the users who can change their passwords using different client >> software (specifically, versions of Kerberos, which supplies the kpasswd >> command) compared to the users who can't? > The only difference I know about is that the users who CAN change their > passwords have not got an expired password (so they can login and use kpasswd > from the shell), whereas those who CANNOT change their password need to reset > it before logging in (i.e., they get the 'your password has expired, reset it > now etc etc). I updated the kerberos libraries/tools on the CentOS 6.0 box > using the Continuous Release repository, and then edited the ldap > configuration to get around > https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=713525 and users > can now reset their passwords on that box during login and on the shell > (kpasswd). I'm not sure which of these actually fixed the problem (if any). > > I'll continue to keep an eye on it for now. It may be as you say, a version > difference, although I'm unaware of any large differences in versions between > the machines, is kerberos very sensitive to version changes? > No. The biggest change was dropping support for v4 protocol couple years ago. That in some cases required regeneration of the keytabs. Other than that it is extremely stable.
>> If you can get a packet capture of a client request, we can examine the >> first few bytes to check what's triggering the failure. >> > tcpdump says its a V5 packet. I have captured the entire login/reset failure > and can email it to you directly if you wish. Yes please send them to Nalin. It is worth taking a look. > Thanks, > > Raal > > ZettaServe Disclaimer: This email and any files transmitted with it are > confidential and intended solely for the use of the individual or entity to > whom they are addressed. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately if you have received this email by mistake and delete this email > from your system. Computer viruses can be transmitted via email. The > recipient should check this email and any attachments for the presence of > viruses. ZettaServe Pty Ltd accepts no liability for any damage caused by any > virus transmitted by this email. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users