On 04/01/2015 02:28 PM, Luiz Fernando Vianna da Silva wrote:


Hello Dmitri.

Server is running: ipa-server-3.0.0-37.el6.x86_64

My kerberos configuration looks like this on a client:

# cat /etc/krb5.conf

[libdefaults]

default_realm = DOMAIN.COM

default_keytab_name = FILE:/etc/krb5/krb5.keytab

default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts

default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts

[realms]

DOMAIN.COM = {

kdc = ldap.domain.com:88

admin_server = ldap.domain.com:749

default_domain = domain.com

}

[domain_realm]

.domain.com = DOMAIN.COM

ldap.domain.com = DOMAIN.COM

[logging]

kdc = FILE:/var/krb5/log/krb5kdc.log

admin_server = FILE:/var/krb5/log/kadmin.log

kadmin_local = FILE:/var/krb5/log/kadmin_local.log

default = FILE:/var/krb5/log/krb5lib.log

#

What does the KDC log show?: Where do I get this log from?


/var/log/krb5kdc.log

Atenciosamente/Best Regards

*__________________________________________*

*Luiz Fernando Vianna da Silva*

ITM-I - Operação Cielo

+55 (11) 3626-7126

luiz.via...@tivit.com.br <mailto:luiz.via...@tivit.com.br>

*T I V I T
**
*Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar

São Paulo - SP - CEP 05804-900

www.tivit.com.br <http://www.tivit.com.br/>

Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação.

*De:*freeipa-users-boun...@redhat.com <mailto:freeipa-users-boun...@redhat.com> [mailto:freeipa-users-boun...@redhat.com] *Em nome de *Dmitri Pal
*Enviada em:* quarta-feira, 1 de abril de 2015 13:27
*Para:* freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
*Assunto:* [Marketing Mail] Re: [Freeipa-users] Expired password change on AIX Client

On 04/01/2015 11:14 AM, Luiz Fernando Vianna da Silva wrote:

    Hello All.

    I’ve searched the archives of this mailing list looking for an
    answer for this one, but all I found lead me nowhere. L

    Closest thread to help me was:
    https://www.redhat.com/archives/freeipa-users/2014-March/msg00153.html

    Has anyone figured out a way to have expired password changes work
    on AIX clients?

    I have tried adding “kpasswd_protocol = SET_CHANGE” as well as
    “kpasswd_protocol = RPCSEC_GSS” to the [realms] section but none
    of them worked.

    Here is the output from an ssh test session for user “teste” on a
    AIX 7.1 machine:

    -bash-4.2$ ssh teste@localhost

    
################################################################################

    #  NICE MOTD

    
################################################################################

    teste@localhost's password:

    [KRB5]: 3004-332 Your password has expired.

    3004-333 A password change is required.

    [KRB5]: 3004-332 Your password has expired.

    
*******************************************************************************

    *                                                               *

    * *

    *  Welcome to AIX Version
    7.1!                                                *

    *                                               *

    * *

    *  Please see the README file in /usr/lpp/bos for information
    pertinent to    *

* this release of the AIX Operating System. *

    * *

    * *

    
*******************************************************************************

    
################################################################################

    # NICE MOTD

    
################################################################################

    WARNING: Your password has expired.

    You must change your password now and login again!

    Changing password for "teste"

    teste's Old password:

    teste's New password:

    Enter the new password again:

    3004-604 Your entry does not match the old password.

    Connection to localhost closed.

    -bash-4.2$


So you are setting up AIX client using kerberos against IPA server and trying to log with a user that has expired password. Did I get it right?

What version of the server you are using?
How your kerberos configuration looks on a client?
What does the KDC log show?

Atenciosamente/Best Regards

*__________________________________________*

*L**uiz Fernando Vianna da Silva*

ITM-I - Operação Cielo

+55 (11) 3626-7126

luiz.via...@tivit.com.br <mailto:luiz.via...@tivit.com.br>

*T I V I T
**
*Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar

São Paulo - SP - CEP 05804-900

www.tivit.com.br <http://www.tivit.com.br/>

Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação.



--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to