Re: [Freeipa-users] AIX kerberos client to IPA
Sigbjorn Lie sigbjorn@... writes: On 12/03/14 22:52, Rob wrote: Hi, I have configured an AIX 6.1 server to connect to a RHEL 6.5 IPA server. The AIX server is configured to use netgroups and all that works for existing the users. The problem is when a users password expires or when a new user is created. They cannot change their password WARNING: Your password has expired. You must change your password now and login again! Changing password for testuser testuser's Old password: testuser's New password: Connection to localhost closed. The problem seems to be related to not getting a kerberos ticket as kinit can be used to change the password. Logging is enabled but no logs ever get updated [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log kadmin_local = FILE:/var/krb5/log/kadmin_local.log default = FILE:/var/krb5/log/krb5lib.log Anybody ever come across this? Or know how to get logging working? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I am not familiar with AIX. Just quick tip for what we had to do on Solaris to make password changes work - as the issue sounded somewhat familiar... :) We have to set kpasswd_protocol = SET_CHANGE to krb5.conf when used with any non-Solaris KDC. Perhaps you have a similar setting for AIX? div div class=moz-cite-prefixOn 12/03/14 22:52, Rob wrote:br /div blockquote cite=mid:loom.20140312T224425-846@... type=cite Hi, I have configured an AIX 6.1 server to connect to a RHEL 6.5 IPA server. The AIX server is configured to use netgroups and all that works for existing the users. The problem is when a users password expires or when a new user is created. They cannot change their password WARNING: Your password has expired. You must change your password now and login again! Changing password for testuser testuser's Old password: testuser's New password: Connection to localhost closed. The problem seems to be related to not getting a kerberos ticket as kinit can be used to change the password. Logging is enabled but no logs ever get updated [logging] kdc = a class=moz-txt-link-freetext href=FILE:/var/krb5/log/krb5kdc.logFILE:/var/krb5/log/krb5kdc.log/a admin_server = a class=moz-txt-link-freetext href=FILE:/var/krb5/log/kadmin.logFILE:/var/krb5/log/kadmin.log/a kadmin_local = a class=moz-txt-link-freetext href=FILE:/var/krb5/log/kadmin_local.logFILE:/var/krb5/log/kadmin_local.l og/a default = a class=moz-txt-link-freetext href=FILE:/var/krb5/log/krb5lib.logFILE:/var/krb5/log/krb5lib.log/a Anybody ever come across this? Or know how to get logging working? ___ Freeipa-users mailing list a class=moz-txt-link-abbreviated href=mailto:Freeipa- users@...Freeipa-users@.../a a class=moz-txt-link-freetext href=https://www.redhat.com/mailman/listinfo/freeipa- usershttps://www.redhat.com/mailman/listinfo/freeipa-users/a /blockquote I am not familiar with AIX. Just quick tip for what we had to do on Solaris to make password changes work - as the issue sounded somewhat familiar... :) We have to set kpasswd_protocol = SET_CHANGE to krb5.conf when used with any non-Solaris KDC. Perhaps you have a similar setting for AIX? /div Thanks, I tried that option but it didn't seem to make any difference. I've a tech call open with IBM and redhat so I'm hoping between us we can figure out what the problem is. I'll post here with any solution that I might get. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AIX kerberos client to IPA
On 12/03/14 22:52, Rob wrote: Hi, I have configured an AIX 6.1 server to connect to a RHEL 6.5 IPA server. The AIX server is configured to use netgroups and all that works for existing the users. The problem is when a users password expires or when a new user is created. They cannot change their password WARNING: Your password has expired. You must change your password now and login again! Changing password for testuser testuser's Old password: testuser's New password: Connection to localhost closed. The problem seems to be related to not getting a kerberos ticket as kinit can be used to change the password. Logging is enabled but no logs ever get updated [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log kadmin_local = FILE:/var/krb5/log/kadmin_local.log default = FILE:/var/krb5/log/krb5lib.log Anybody ever come across this? Or know how to get logging working? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users * I am not familiar with AIX. Just quick tip for what we had to do on Solaris to make password changes work - as the issue sounded somewhat familiar... :) We have to set kpasswd_protocol = SET_CHANGE to krb5.conf when used with any non-Solaris KDC. Perhaps you have a similar setting for AIX? * ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] AIX kerberos client to IPA
Hi, I have configured an AIX 6.1 server to connect to a RHEL 6.5 IPA server. The AIX server is configured to use netgroups and all that works for existing the users. The problem is when a users password expires or when a new user is created. They cannot change their password WARNING: Your password has expired. You must change your password now and login again! Changing password for testuser testuser's Old password: testuser's New password: Connection to localhost closed. The problem seems to be related to not getting a kerberos ticket as kinit can be used to change the password. Logging is enabled but no logs ever get updated [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log kadmin_local = FILE:/var/krb5/log/kadmin_local.log default = FILE:/var/krb5/log/krb5lib.log Anybody ever come across this? Or know how to get logging working? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AIX kerberos client to IPA
I had this issue, but I gave up. I have my users either log into a Linux box to change passwords or use a web based password reset I set up for them. When your users log in successfully do they have tickets? That's my situation: they can get tickets once they're logged in, but can't change when prompted at login, nor can they change interactively using passwd. If you ever figure anything out let me know, but I spent quite a bit of time on it (once I had the workaround I stopped, though. You may be more persistent.) Good luck, --Jason On Wed, Mar 12, 2014 at 4:52 PM, Rob robert.ro...@xerox.com wrote: Hi, I have configured an AIX 6.1 server to connect to a RHEL 6.5 IPA server. The AIX server is configured to use netgroups and all that works for existing the users. The problem is when a users password expires or when a new user is created. They cannot change their password WARNING: Your password has expired. You must change your password now and login again! Changing password for testuser testuser's Old password: testuser's New password: Connection to localhost closed. The problem seems to be related to not getting a kerberos ticket as kinit can be used to change the password. Logging is enabled but no logs ever get updated [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log kadmin_local = FILE:/var/krb5/log/kadmin_local.log default = FILE:/var/krb5/log/krb5lib.log Anybody ever come across this? Or know how to get logging working? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
