It turns out I had missed the UDP ports for kerberos (88) and kpasswd (464)
in the firewall configuration.

I had the TCP ports open, just not the UDP ones.  I missed the fine print
that said these two ports had to be open via both TCP and UDP. I think this
constitutes a vote of support for :)

While on the topic of firewall configuration, why are the list of ports
different in bug 2110 versus the Red Hat IPA documentation
anagement_Guide/Preparing_for_an_IPA_Installation.html ?

Bug 2110 appears to skip all the dogtag ports, even though the RedHat IPA
document says that they 'cannot be in use by another service or blocked by a


On 12-02-16 10:52 PM, "Kelvin Edmison" <> wrote:

> I had sworn that I had faithfully followed the firewall configs, but this
> was it; thanks!  Off to tcpdump to see which port I missed.
> Kelvin
> On 12-02-16 10:21 PM, "Brian Topping" <> wrote:
>> Firewall issue?  Maybe do a tcpdump on one of the machines while trying this?
>> On Feb 16, 2012, at 10:10 PM, Kelvin Edmison wrote:
>>> Hi all,
>>> I am trying to roll out ipa as our central authentication system, and am
>>> running into problems with password changes on CentOS 5.
>>> Scenario: 
>>> Admin user resets a user's password.
>>> The user, on a non-IPA-managed system, logs into a CentOS 5 server
>>> (IPA-managed) via ssh.  The temporary password is accepted and the user is
>>> immediately prompted to change the password, but the password change fails
>>> with the message 'System is offline, password change not possible'.
>>> $ ssh kelvin@testhost
>>> kelvin@testhost's password:
>>> Warning: Your password will expire in less than one hour.
>>> Password expired. Change your password now.
>>> Last login: Thu Feb 16 21:54:59 2012 from vpn
>>> WARNING: Your password has expired.
>>> You must change your password now and login again!
>>> Changing password for user kelvin.
>>> Current Password:
>>> New UNIX password:
>>> Retype new UNIX password:
>>> System is offline, password change not possible
>>> Warning: Your password will expire in less than one hour.
>>> Warning: Your password will expire in less than one hour.
>>> passwd: Authentication token manipulation error
>>> Connection to testhost closed.
>>> What am I missing?  Can someone please help me get this working?
>>> Thanks,
>>>  Kelvin
>>> _______________________________________________
>>> Freeipa-users mailing list
> _______________________________________________
> Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to