On Wed, Sep 28, 2011 at 01:59:36PM -0400, Nalin Dahyabhai wrote: > On Wed, Sep 28, 2011 at 02:49:02PM +0800, Goff, Raal wrote: > > The only difference I know about is that the users who CAN change their > > passwords have not got an expired password (so they can login and use > > kpasswd from the shell), whereas those who CANNOT change their password > > need to reset it before logging in (i.e., they get the 'your password has > > expired, reset it now etc etc). I updated the kerberos libraries/tools on > > the CentOS 6.0 box using the Continuous Release repository, and then edited > > the ldap configuration to get around > > https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=713525 and > > users can now reset their passwords on that box during login and on the > > shell (kpasswd). I'm not sure which of these actually fixed the problem (if > > any). > > Ah, somehow I'd missed that you were running 6.0. If your client > systems are using pam_krb5 instead of SSSD, then you're likely hitting > https://bugzilla.redhat.com/show_bug.cgi?id=690583, which was fixed in > 6.1. >
He said he was updating the passwords with kpasswd, which should bypass the pam stack and talk to the kpasswd deamon directly, right? _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
