I've noticed an issue here. It's most likely something I've managed to do the wrong way, or something really obvious I'm missing, but at the moment I can't see what it is (otherwise I'd fix it instead of asking for help here :))
I have a setup with some RHEL 6.3 boxes, using the IPA bundled with that OS (ipa-client-2.2.0-16, and same version of the ipa-server as well). When I create new users, I assign them a password, and they're required to change their password at the first login. My problem is that I can only get this password change to work when I ssh to the KDC/IPA server - it fails if I ssh to one of the clients instead. After I have changed the password on the KDC, I can ssh to the clients. Here's an example of what it looks like when I ssh from a laptop that's not part of the kerberos realm, to one of the clients: [eio@lappy ~]$ ssh eolsen@libresse.domainname Password: Password expired. Change your password now. Current Password: New password: Retype new password: Password change failed. Server message: Failed decrypting request Password: Password expired. Change your password now. Current Password: Password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive). [eio@lappy ~]$ In the /var/log/messages on the server "libresse", I see: Sep 28 10:39:15 libresse [sssd[krb5_child[14820]]]: Password has expired Sep 28 10:39:15 libresse [sssd[krb5_child[14820]]]: Password has expired Sep 28 10:39:48 libresse [sssd[krb5_child[14830]]]: Password has expired Sep 28 10:39:48 libresse [sssd[krb5_child[14830]]]: Password has expired Sep 28 10:39:58 libresse [sssd[krb5_child[14837]]]: Decrypt integrity check failed Sep 28 10:40:01 libresse [sssd[krb5_child[14845]]]: Password has expired Sep 28 10:40:01 libresse [sssd[krb5_child[14845]]]: Decrypt integrity check failed Here's what it looks like when I ssh to the KDC instead: [eio@lappy ~]$ ssh eolsen@kdc.domainname eolsen@kdc.domainname's password: Password expired. Change your password now. WARNING: Your password has expired. You must change your password now and login again! Changing password for user eolsen. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to kdc.domainname closed. [eio@lappy ~]$ ...and I can now ssh to all the servers just fine: [eio@lappy ~]$ ssh eolsen@libresse.domainname Password: Last login: Fri Sep 28 11:12:28 2012 from .... Welcome to libresse.domainname (RedHat 6.3 x86_64). [eolsen@libresse ~]$ Some additional information: lappy and libresse are using RFC1918 addresses, and don't have proper reverse DNS. kdc is using official IP address with proper reverse DNS. Are anyone able to see what I've done wrong here, or have suggestions on where I should be digging deeper? Regards Eivind Olsen eiv...@aminor.no _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
