This is my krb5kdc.log ...

Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: CLIENT KEY EXPIRED: test@LIX.POLYTECHN
IQUE.FR for krbtgt/example....@example.com, Password has expired
Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: NEEDED_PREAUTH: t...@example.com for kadmin/
chang...@example.com, Additional pre-authentication required
Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: ISSUE: authtime 1348178594, etypes {rep=18 tkt=18
ses=18}, t...@example.com for kadmin/chang...@example.com
Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): TGS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18 tkt=18
ses=18}, HTTP/ipa.example....@example.com for ldap/
ipa.example....@example.com
Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): ...
CONSTRAINED-DELEGATION s4u-client=ad...@example.com
Sep 21 00:05:08 ipa.example.com krb5kdc[22843](info): TGS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18 tkt=18
ses=18}, HTTP/ipa.example....@example.com for ldap/
ipa.example....@example.com


Thanks

2012/9/21 James James <jre...@gmail.com>

> Now, I can read the userPassword field (after the migration process) but I
> still can't change my password from the ui. I just got :
>
> kerberos ticket is no longer valid.
>
>
>
> 2012/9/20 James James <jre...@gmail.com>
>
>> It will be fine to have this info in the doc.
>>
>>
>> 2012/9/20 Rob Crittenden <rcrit...@redhat.com>
>>
>>> Dmitri Pal wrote:
>>>
>>>> On 09/20/2012 01:42 PM, Rob Crittenden wrote:
>>>>
>>>>> James James wrote:
>>>>>
>>>>>> You 're right. The request return :
>>>>>>
>>>>>> Enter LDAP Password:
>>>>>> # extended LDIF
>>>>>> #
>>>>>> # LDAPv3
>>>>>> # base <cn=users,cn=accounts,dc=**example,dc=com> with scope subtree
>>>>>> # filter: uid=test
>>>>>> # requesting: userPassword
>>>>>> #
>>>>>>
>>>>>> # test, users, accounts, example.com <http://example.com>
>>>>>> dn: uid=test,cn=users,cn=accounts,**dc=example,dc=com
>>>>>>
>>>>>> # search result
>>>>>> search: 2
>>>>>> result: 0 Success
>>>>>>
>>>>>> Can you explain me what happens ?
>>>>>>
>>>>>> Is there a solution ?
>>>>>>
>>>>>
>>>>> When migrating you need to bind as a user that has read permission on
>>>>> the userPassword attribute in the remote LDAP server.
>>>>>
>>>>
>>>> Rob should we check if we can read the userPassword attribute and if not
>>>> fail migration?
>>>> Should we open a ticket for this?
>>>> Also I do not think we document the expectation that you vocalized
>>>> above.
>>>>
>>>
>>> I'll open a ticket to spell this out in the docs.
>>>
>>> Checking it in the command would be nice but I don't know about fatal.
>>> Still, I'll open a ticket for that as well.
>>>
>>> rob
>>>
>>
>>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to