On 01/11/2012 04:24 PM, Simo Sorce wrote:
> On Mon, 2012-01-09 at 13:42 -0900, Erinn Looney-Triggs wrote:
>> On 01/09/2012 01:31 PM, Simo Sorce wrote:
>>> On Mon, 2012-01-09 at 12:28 -0900, Erinn Looney-Triggs wrote:
>>> [snip]
>>> Looks like the expiration is not updated, I suspect the password change
>>> actually failed.
>>>> A couple of additional notes that may be important. The system to
>>>> which
>>>> I am attempting to authenticate lives in private IP space whereas the
>>>> IPA server is on a public IP.
>>> Does it mean the client system is NATed wrt IPA ?
>> That is correct.
>>> I think that could make kpasswd fail. I need to check if this has been
>>> addressed in MIT libraries but IIRC it is a known limitation so far.
>>> The kpasswd binary I think specifies the IP address in mk_priv and fails
>>> verification from behind a NAT.
>>>>  Second HBAC is in effect on the host so
>>>> the user must be a member of the desktop group in order to
>>>> authenticate.
>>> HBAC is not involved in any way with password changes, so I am confident
>>> you can exclude any correlation.
>>>> These may not have any bearing, or they may who knows. 
>>> Yes the NAT part may be your issue.
>> Yeah my kerb foo is a little rusty but the whole NAT/kerb thing causing
>> issues does ring a bell with me too. I will continue to research.
> For the MIT 1.10beta1 announcement[1]:
> * Allow password changes to work over NATs.
> So we will have that working in freeipa 2.2.0/3.0 when used with 1.10
> once it is final.
> Simo
> [1] http://web.mit.edu/kerberos/krb5-1.10/krb5-1.10.html

Ah well that is quite nice. From my reading it looks like the kpasswd
over nat bit has been on a standard track to allow this to happen for
the last 8 years or so, so I wasn't holding out a lot of hope.

Thanks for pointing this out,

Attachment: signature.asc
Description: OpenPGP digital signature

Freeipa-users mailing list

Reply via email to