On 04/01/2015 11:14 AM, Luiz Fernando Vianna da Silva wrote:

Hello All.

I've searched the archives of this mailing list looking for an answer for this one, but all I found lead me nowhere. L

Closest thread to help me was: https://www.redhat.com/archives/freeipa-users/2014-March/msg00153.html

Has anyone figured out a way to have expired password changes work on AIX clients?

I have tried adding "kpasswd_protocol = SET_CHANGE" as well as "kpasswd_protocol = RPCSEC_GSS" to the [realms] section but none of them worked.

Here is the output from an ssh test session for user "teste" on a AIX 7.1 machine:

-bash-4.2$ ssh teste@localhost

################################################################################

#  NICE MOTD

################################################################################

teste@localhost's password:

[KRB5]: 3004-332 Your password has expired.

3004-333 A password change is required.

[KRB5]: 3004-332 Your password has expired.

*******************************************************************************

*                                                               *

* *

*  Welcome to AIX Version 7.1! *

*                                               *

* *

* Please see the README file in /usr/lpp/bos for information pertinent to *

* this release of the AIX Operating System. *

* *

* *

*******************************************************************************

################################################################################

# NICE MOTD

################################################################################

WARNING: Your password has expired.

You must change your password now and login again!

Changing password for "teste"

teste's Old password:

teste's New password:

Enter the new password again:

3004-604 Your entry does not match the old password.

Connection to localhost closed.

-bash-4.2$


So you are setting up AIX client using kerberos against IPA server and trying to log with a user that has expired password. Did I get it right?

What version of the server you are using?
How your kerberos configuration looks on a client?
What does the KDC log show?

Atenciosamente/Best Regards

*__________________________________________*

*L**uiz Fernando Vianna da Silva*

ITM-I - Operação Cielo

+55 (11) 3626-7126

luiz.via...@tivit.com.br <mailto:luiz.via...@tivit.com.br>

*T I V I T
**
*Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar

São Paulo - SP - CEP 05804-900

www.tivit.com.br <http://www.tivit.com.br/>

Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação.





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to