I've noticed an issue here. It's most likely something I've managed to do
the wrong way, or something really obvious I'm missing, but at the moment
I can't see what it is (otherwise I'd fix it instead of asking for help
here :))

I have a setup with some RHEL 6.3 boxes, using the IPA bundled with that
OS (ipa-client-2.2.0-16, and same version of the ipa-server as well).

When I create new users, I assign them a password, and they're required to
change their password at the first login. My problem is that I can only
get this password change to work when I ssh to the KDC/IPA server - it
fails if I ssh to one of the clients instead. After I have changed the
password on the KDC, I can ssh to the clients.

Here's an example of what it looks like when I ssh from a laptop that's
not part of the kerberos realm, to one of the clients:

[eio@lappy ~]$ ssh eolsen@libresse.domainname
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
Password change failed. Server message: Failed decrypting request
Password:
Password expired. Change your password now.
Current Password:
Password:
Permission denied
(publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).
[eio@lappy ~]$

In the /var/log/messages on the server "libresse", I see:

Sep 28 10:39:15 libresse [sssd[krb5_child[14820]]]: Password has expired
Sep 28 10:39:15 libresse [sssd[krb5_child[14820]]]: Password has expired
Sep 28 10:39:48 libresse [sssd[krb5_child[14830]]]: Password has expired
Sep 28 10:39:48 libresse [sssd[krb5_child[14830]]]: Password has expired
Sep 28 10:39:58 libresse [sssd[krb5_child[14837]]]: Decrypt integrity
check failed
Sep 28 10:40:01 libresse [sssd[krb5_child[14845]]]: Password has expired
Sep 28 10:40:01 libresse [sssd[krb5_child[14845]]]: Decrypt integrity
check failed

Here's what it looks like when I ssh to the KDC instead:

[eio@lappy ~]$ ssh eolsen@kdc.domainname
eolsen@kdc.domainname's password:
Password expired. Change your password now.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user eolsen.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to kdc.domainname closed.
[eio@lappy ~]$

...and I can now ssh to all the servers just fine:


[eio@lappy ~]$ ssh eolsen@libresse.domainname
Password:
Last login: Fri Sep 28 11:12:28 2012 from ....
Welcome to libresse.domainname (RedHat 6.3 x86_64).

[eolsen@libresse ~]$

Some additional information:
lappy and libresse are using RFC1918 addresses, and don't have proper
reverse DNS. kdc is using official IP address with proper reverse DNS.

Are anyone able to see what I've done wrong here, or have suggestions on
where I should be digging deeper?

Regards
Eivind Olsen
eiv...@aminor.no


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to