On Mon, 2012-01-09 at 13:42 -0900, Erinn Looney-Triggs wrote: > On 01/09/2012 01:31 PM, Simo Sorce wrote: > > On Mon, 2012-01-09 at 12:28 -0900, Erinn Looney-Triggs wrote: > >> > > [snip] > > > > > > Looks like the expiration is not updated, I suspect the password change > > actually failed. > > > >> A couple of additional notes that may be important. The system to > >> which > >> I am attempting to authenticate lives in private IP space whereas the > >> IPA server is on a public IP. > > > > Does it mean the client system is NATed wrt IPA ? > > That is correct. > > > > > I think that could make kpasswd fail. I need to check if this has been > > addressed in MIT libraries but IIRC it is a known limitation so far. > > The kpasswd binary I think specifies the IP address in mk_priv and fails > > verification from behind a NAT. > > > >> Second HBAC is in effect on the host so > >> the user must be a member of the desktop group in order to > >> authenticate. > > > > HBAC is not involved in any way with password changes, so I am confident > > you can exclude any correlation. > > > >> These may not have any bearing, or they may who knows. > > > > Yes the NAT part may be your issue. > > Yeah my kerb foo is a little rusty but the whole NAT/kerb thing causing > issues does ring a bell with me too. I will continue to research.
For the MIT 1.10beta1 announcement[1]: * Allow password changes to work over NATs. So we will have that working in freeipa 2.2.0/3.0 when used with 1.10 once it is final. Simo [1] http://web.mit.edu/kerberos/krb5-1.10/krb5-1.10.html -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users