I was mistaken. The password change from the ui works well.

Thanks again for your help.

2012/9/21 James James <jre...@gmail.com>

> This is my krb5kdc.log ...
>
> Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes
> {18 17 16 23}) 129.104.11.85: CLIENT KEY EXPIRED: test@LIX.POLYTECHN
> IQUE.FR for krbtgt/example....@example.com, Password has expired
> Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes
> {18 17 16 23}) 129.104.11.85: NEEDED_PREAUTH: t...@example.com for kadmin/
> chang...@example.com, Additional pre-authentication required
> Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes
> {18 17 16 23}) 129.104.11.85: ISSUE: authtime 1348178594, etypes {rep=18
> tkt=18 ses=18}, t...@example.com for kadmin/chang...@example.com
> Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): TGS_REQ (4 etypes
> {18 17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18
> tkt=18 ses=18}, HTTP/ipa.example....@example.com for ldap/
> ipa.example....@example.com
> Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): ...
> CONSTRAINED-DELEGATION s4u-client=ad...@example.com
> Sep 21 00:05:08 ipa.example.com krb5kdc[22843](info): TGS_REQ (4 etypes
> {18 17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18
> tkt=18 ses=18}, HTTP/ipa.example....@example.com for ldap/
> ipa.example....@example.com
>
>
> Thanks
>
>
> 2012/9/21 James James <jre...@gmail.com>
>
>> Now, I can read the userPassword field (after the migration process) but
>> I still can't change my password from the ui. I just got :
>>
>> kerberos ticket is no longer valid.
>>
>>
>>
>> 2012/9/20 James James <jre...@gmail.com>
>>
>>> It will be fine to have this info in the doc.
>>>
>>>
>>> 2012/9/20 Rob Crittenden <rcrit...@redhat.com>
>>>
>>>> Dmitri Pal wrote:
>>>>
>>>>> On 09/20/2012 01:42 PM, Rob Crittenden wrote:
>>>>>
>>>>>> James James wrote:
>>>>>>
>>>>>>> You 're right. The request return :
>>>>>>>
>>>>>>> Enter LDAP Password:
>>>>>>> # extended LDIF
>>>>>>> #
>>>>>>> # LDAPv3
>>>>>>> # base <cn=users,cn=accounts,dc=**example,dc=com> with scope subtree
>>>>>>> # filter: uid=test
>>>>>>> # requesting: userPassword
>>>>>>> #
>>>>>>>
>>>>>>> # test, users, accounts, example.com <http://example.com>
>>>>>>> dn: uid=test,cn=users,cn=accounts,**dc=example,dc=com
>>>>>>>
>>>>>>> # search result
>>>>>>> search: 2
>>>>>>> result: 0 Success
>>>>>>>
>>>>>>> Can you explain me what happens ?
>>>>>>>
>>>>>>> Is there a solution ?
>>>>>>>
>>>>>>
>>>>>> When migrating you need to bind as a user that has read permission on
>>>>>> the userPassword attribute in the remote LDAP server.
>>>>>>
>>>>>
>>>>> Rob should we check if we can read the userPassword attribute and if
>>>>> not
>>>>> fail migration?
>>>>> Should we open a ticket for this?
>>>>> Also I do not think we document the expectation that you vocalized
>>>>> above.
>>>>>
>>>>
>>>> I'll open a ticket to spell this out in the docs.
>>>>
>>>> Checking it in the command would be nice but I don't know about fatal.
>>>> Still, I'll open a ticket for that as well.
>>>>
>>>> rob
>>>>
>>>
>>>
>>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to