Sigbjorn Lie <sigbjorn@...> writes: > > > On 12/03/14 22:52, Rob wrote: > > > > Hi, > > I have configured an AIX 6.1 server to connect to a RHEL 6.5 IPA server. The > AIX server is configured to use netgroups and all that works for existing the > users. > > The problem is when a users password expires or when a new user is created. > They cannot change their password > > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for "testuser" > testuser's Old password: > testuser's New password: > Connection to localhost closed. > > The problem seems to be related to not getting a kerberos ticket as kinit can > be used to change the password. > > Logging is enabled but no logs ever get updated > > [logging] > kdc = FILE:/var/krb5/log/krb5kdc.log > admin_server = FILE:/var/krb5/log/kadmin.log > kadmin_local = FILE:/var/krb5/log/kadmin_local.log > default = FILE:/var/krb5/log/krb5lib.log > > Anybody ever come across this? Or know how to get logging working? > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > I am not familiar with AIX. Just quick tip for what we had to do on Solaris to make password changes work - as the issue sounded somewhat familiar... :) > > We have to set "kpasswd_protocol = SET_CHANGE" to krb5.conf when used with any "non-Solaris KDC". > > Perhaps you have a similar setting for AIX? > > > > > > > <div> > <div class="moz-cite-prefix">On 12/03/14 22:52, Rob wrote:<br> > </div> > <blockquote cite="mid:loom.20140312T224425-846@..." type="cite"> > > Hi, > > I have configured an AIX 6.1 server to connect to a RHEL 6.5 IPA server. The > AIX server is configured to use netgroups and all that works for existing the > users. > > The problem is when a users password expires or when a new user is created. > They cannot change their password > > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for "testuser" > testuser's Old password: > testuser's New password: > Connection to localhost closed. > > The problem seems to be related to not getting a kerberos ticket as kinit can > be used to change the password. > > Logging is enabled but no logs ever get updated > > [logging] > kdc = <a class="moz-txt-link-freetext" href="FILE:/var/krb5/log/krb5kdc.log">FILE:/var/krb5/log/krb5kdc.log</a> > admin_server = <a class="moz-txt-link-freetext" href="FILE:/var/krb5/log/kadmin.log">FILE:/var/krb5/log/kadmin.log</a> > kadmin_local = <a class="moz-txt-link-freetext" href="FILE:/var/krb5/log/kadmin_local.log">FILE:/var/krb5/log/kadmin_local.l og</a> > default = <a class="moz-txt-link-freetext" href="FILE:/var/krb5/log/krb5lib.log">FILE:/var/krb5/log/krb5lib.log</a> > > Anybody ever come across this? Or know how to get logging working? > > _______________________________________________ > Freeipa-users mailing list > <a class="moz-txt-link-abbreviated" href="mailto:Freeipa- users@...">Freeipa-users@...</a> > <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa- users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > </blockquote> > > I am not familiar with AIX. Just quick tip for what we had to do on Solaris to make password changes work - as the issue sounded somewhat familiar... :) > > We have to set "kpasswd_protocol = SET_CHANGE" to krb5.conf when used with any "non-Solaris KDC". > > Perhaps you have a similar setting for AIX? > > </div> >
Thanks, I tried that option but it didn't seem to make any difference. I've a tech call open with IBM and redhat so I'm hoping between us we can figure out what the problem is. I'll post here with any solution that I might get. _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users