On Mon, 2012-01-09 at 12:28 -0900, Erinn Looney-Triggs wrote: > [snip]
Looks like the expiration is not updated, I suspect the password change actually failed. > A couple of additional notes that may be important. The system to > which > I am attempting to authenticate lives in private IP space whereas the > IPA server is on a public IP. Does it mean the client system is NATed wrt IPA ? I think that could make kpasswd fail. I need to check if this has been addressed in MIT libraries but IIRC it is a known limitation so far. The kpasswd binary I think specifies the IP address in mk_priv and fails verification from behind a NAT. > Second HBAC is in effect on the host so > the user must be a member of the desktop group in order to > authenticate. HBAC is not involved in any way with password changes, so I am confident you can exclude any correlation. > These may not have any bearing, or they may who knows. Yes the NAT part may be your issue. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users