It turns out I had missed the UDP ports for kerberos (88) and kpasswd (464) in the firewall configuration.
I had the TCP ports open, just not the UDP ones. I missed the fine print that said these two ports had to be open via both TCP and UDP. I think this constitutes a vote of support for https://fedorahosted.org/freeipa/ticket/2110 :) While on the topic of firewall configuration, why are the list of ports different in bug 2110 versus the Red Hat IPA documentation http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_M anagement_Guide/Preparing_for_an_IPA_Installation.html ? Bug 2110 appears to skip all the dogtag ports, even though the RedHat IPA document says that they 'cannot be in use by another service or blocked by a firewall'. Cheers, Kelvin On 12-02-16 10:52 PM, "Kelvin Edmison" <kel...@kindsight.net> wrote: > I had sworn that I had faithfully followed the firewall configs, but this > was it; thanks! Off to tcpdump to see which port I missed. > > Kelvin > > > On 12-02-16 10:21 PM, "Brian Topping" <topp...@codehaus.org> wrote: > >> Firewall issue? Maybe do a tcpdump on one of the machines while trying this? >> >> On Feb 16, 2012, at 10:10 PM, Kelvin Edmison wrote: >> >>> Hi all, >>> >>> I am trying to roll out ipa as our central authentication system, and am >>> running into problems with password changes on CentOS 5. >>> >>> Scenario: >>> Admin user resets a user's password. >>> The user, on a non-IPA-managed system, logs into a CentOS 5 server >>> (IPA-managed) via ssh. The temporary password is accepted and the user is >>> immediately prompted to change the password, but the password change fails >>> with the message 'System is offline, password change not possible'. >>> >>> $ ssh kelvin@testhost >>> kelvin@testhost's password: >>> Warning: Your password will expire in less than one hour. >>> Password expired. Change your password now. >>> Last login: Thu Feb 16 21:54:59 2012 from vpn >>> WARNING: Your password has expired. >>> You must change your password now and login again! >>> Changing password for user kelvin. >>> Current Password: >>> New UNIX password: >>> Retype new UNIX password: >>> System is offline, password change not possible >>> Warning: Your password will expire in less than one hour. >>> Warning: Your password will expire in less than one hour. >>> passwd: Authentication token manipulation error >>> Connection to testhost closed. >>> >>> What am I missing? Can someone please help me get this working? >>> >>> Thanks, >>> Kelvin >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users