On 10/14/10 9:50 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
Miljan Karadzic wrote:
Hi,
I am having problems configuring Solaris 10 client to work with FreeIPA
v2 server. Everything seems to be working fine except for password
change. When I try to change the password I get this error:
$ kpasswd
kpasswd: Changing password for u...@example.com.
Old password:
kpasswd: Cannot establish a session with the Kerberos administrative
server for realm EXAMPLE.COM. Database error! Required KADM5 principal
missing.
In KDC log I can see this entry:
AS_REQ (6 etypes {18 17 16 23 3 1}) 10.134.19.22: SERVER_NOT_FOUND:
u...@example.com for changepw/freeipa.example....@example.com, Server
not found in Kerberos database
(freeipa.example.com is my FreeIPA server)
And this is how it looks like when it's working:
AS_REQ (2 etypes {3 1}) 192.101.1.73: NEEDED_PREAUTH: u...@example.com
for kadmin/chang...@example.com, Additional pre-authentication required
AS_REQ (2 etypes {3 1}) 192.101.1.73: ISSUE: authtime 1287068308,
etypes
{rep=3 tkt=18 ses=1}, u...@example.com for kadmin/chang...@example.com
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.10.19.35: NEEDED_PREAUTH:
kadmin/chang...@example.com for krbtgt/example....@example.com,
Additional pre-authentication required
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.10.19.35: ISSUE: authtime
1287068319, etypes {rep=18 tkt=18 ses=18}, kadmin/chang...@example.com
for krbtgt/example....@example.com
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.10.19.35: ISSUE: authtime
1287068319, etypes {rep=18 tkt=18 ses=18}, kadmin/chang...@example.com
for ldap/freeipa.example....@example.com
It seems that Solaris is requiring
changepw/freeipa.example....@example.com Kerberos principal for
password
changes, instead of kadmin/chang...@example.com. I have a landscape
with
AIX, HP-UX, Linux and Solaris servers, and all other systems do not use
mentioned principal, so this seems to be something specific to Solaris
(or maybe specific to my configuration :)).
Is there a way to instruct Kerberos client which principal to use for
password changes? Or, if not, how to add the missing principal (I do
not
see a way of doing it with FreeIPA commands)?
Installed software:
Client:
SUNWkrbr/SUNWkrbu 11.10.0,REV=2005.01.21.16.34
Server:
389-ds-base-1.2.6.1-2.fc13.i686
ipa-admintools-1.9.0.pre4-0.fc13.i686
ipa-client-1.9.0.pre4-0.fc13.i686
ipa-python-1.9.0.pre4-0.fc13.i686
ipa-server-1.9.0.pre4-0.fc13.i686
ipa-server-selinux-1.9.0.pre4-0.fc13.i686
krb5-libs-1.7.1-14.fc13.i686
krb5-server-1.7.1-14.fc13.i686
krb5-server-ldap-1.7.1-14.fc13.i686
krb5-workstation-1.7.1-14.fc13.i686
pam_krb5-2.3.11-1.fc13.i686
python-iniparse-0.4-1.fc13.noarch
python-krbV-1.0.90-1.fc13.i686
Thanks,
Miljan
The good news is that I can reproduce this on my Solaris 10 system. The
bad news is I'm not sure what the solution is yet. I'll keep looking.
regards
I can't test this completely because for some reason kinit is
segfaulting on my machine. I can get it to use the right principal for
kpasswd though, try adding kpasswd_protocol = SET_CHANGE to your
[realm] section in /etc/krb/krb5.conf, something like:
[realms]
EXAMPLE.COM = {
kdc = freeipa.example.com:88
admin_server = freeipa.example.com:749
kpasswd_protocol = SET_CHANGE
}
rob
Hi Rob,
After adding kpasswd_protocol entry into krb5.conf file, kpasswd is
using correct principal, but now it fails before setting the new password.
$ kpasswd
kpasswd: Changing password for u...@example.com.
Old password:
New password:
New password (again):
kpasswd: Malformed request error
And password is not changed after this. KDC log says:
AS_REQ (6 etypes {18 17 16 23 3 1}) 10.134.19.22: NEEDED_PREAUTH:
u...@example.com for kadmin/chang...@example.com, Additional
pre-authentication required
AS_REQ (6 etypes {18 17 16 23 3 1}) 10.134.19.22: ISSUE: authtime
1287095138, etypes {rep=18 tkt=18 ses=18}, u...@example.com for
kadmin/chang...@example.com
I'll take a closer look at this tomorrow, as it is quite late here. :)
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
