On 01/09/2012 01:31 PM, Simo Sorce wrote: > On Mon, 2012-01-09 at 12:28 -0900, Erinn Looney-Triggs wrote: >> > [snip] > > > Looks like the expiration is not updated, I suspect the password change > actually failed. > >> A couple of additional notes that may be important. The system to >> which >> I am attempting to authenticate lives in private IP space whereas the >> IPA server is on a public IP. > > Does it mean the client system is NATed wrt IPA ?
That is correct. > > I think that could make kpasswd fail. I need to check if this has been > addressed in MIT libraries but IIRC it is a known limitation so far. > The kpasswd binary I think specifies the IP address in mk_priv and fails > verification from behind a NAT. > >> Second HBAC is in effect on the host so >> the user must be a member of the desktop group in order to >> authenticate. > > HBAC is not involved in any way with password changes, so I am confident > you can exclude any correlation. > >> These may not have any bearing, or they may who knows. > > Yes the NAT part may be your issue. Yeah my kerb foo is a little rusty but the whole NAT/kerb thing causing issues does ring a bell with me too. I will continue to research. Thanks for the info, -Erinn
Description: OpenPGP digital signature
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users