Re: [Freeipa-users] Problem with Kerberos Authentication
Michael, did you restart the kdc after you updated the krb5.conf file? David Michael Kang wrote: According to the FreeIPA Client Configure Guide, I realized I may miss something in my client's krb5.conf. It had been created by ipa-client-install script. I never edit it. But there are *no* *[realms]* and *[domain_realm] *in krb5.conf file. So I added them, show it below: #File modified by ipa-client-install [libdefaults] default_realm = ARAGON.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] ARAGON.LOCAL = { kdc = ipa.aragon.local:88 admin_server = ipa.aragon.local:749 default_domain = aragon.local } [domain_realm] .aragon.local = ARAGON.LOCAL aragon.local = ARAGON.LOCAL [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } It doesn't work either by using the new krb5.conf. *kinit(v5): Password change failed while getting initial credentials* I'd like to post more detail outputs. Hope it could be helpful. [r...@freeipa ~]# kinit admin Password for ad...@aragon.local: [r...@freeipa ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@aragon.local Valid starting ExpiresService principal 09/23/09 22:52:57 09/24/09 22:52:58 krbtgt/aragon.lo...@aragon.local Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [r...@freeipa ~]# ipa-finduser admin Full Name: Administrator Home Directory: /home/admin Login Shell: /bin/bash Login: admin [r...@freeipa ~]# ipa-finduser haha Full Name: haha haha Home Directory: /home/haha Login Shell: /bin/sh Login: haha Regards, Michael On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang wxi...@gmail.com wrote: Here is client's krb5.conf: #File modified by ipa-client-install [libdefaults] default_realm = ARAGON.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } EOF On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau jgali...@redhat.comwrote: Michael Kang wrote: Dear FreeIPA community, I did try set the new user's initial password. But it didn't work either. I got a protocol error. Here is the output of console : [r...@freeipa ~]# kinit admin Password for ad...@aragon.local: [r...@freeipa ~]# ipa-passwd haha Changing password for h...@aragon.local New Password: Confirm Password: [r...@freeipa ~]# kinit haha Password for h...@aragon.local: Password expired. You must change it now. Enter new password: Enter it again: kinit(v5): Requested protocol version not supported while getting initial credentials Sounds like, a Kerberos V4 request was sent to the KDC? What's in the client's krb5.conf? Jenny On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau jgali...@redhat.commailto: jgali...@redhat.com wrote: Jenny Galipeau wrote: Michael Kang wrote: Dear FreeIPA community, I successfully installed FreeIPA this morning. Now I got a problem about Kerberos Authentication. New user cannot modify their password in shell. Hi Michael: Did you set the new user's initial password? kinit admin ipa passwd haha Thanks Jenny Also kinit as haha, because haha will be asked to change the password on first authentication. Thanks Jenny I added a new user named /haha(group: ipauser)/ based on the webUI. This user is not a existed system user. Then I added a new Delegations(allow people in group ipauser can modify password for group ipauser) . /[mich...@freeipa Desktop]$ su - haha/ /Password: / /Warning: Your password will expire in less than one hour./ /Warning: password has expired./ /Kerberos 5 Password: / /Warning: Your password will expire in less than one hour./ /New UNIX password: / /Retype new UNIX password: / /su: incorrect password/ /[mich...@freeipa Desktop]$ su - root/ /Password: / /[r...@freeipa ~]# su - haha/ /su: warning: cannot change directory to /home/haha: No such file or directory/ /-sh-3.2$ / Root can su - haha successfully. I think that means the Kerberos works, but new user cannot reset their password in their shell. What should I do? Best Regards, Michael --Michael Kang(康上明学) There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org
Re: [Freeipa-users] Problem with Kerberos Authentication
Hi David, I reboot the system after I edit the configure file. Regard, Michael On Thu, Sep 24, 2009 at 11:13 AM, David O'Brien dav...@redhat.com wrote: Michael, did you restart the kdc after you updated the krb5.conf file? David Michael Kang wrote: According to the FreeIPA Client Configure Guide, I realized I may miss something in my client's krb5.conf. It had been created by ipa-client-install script. I never edit it. But there are *no* *[realms]* and *[domain_realm] *in krb5.conf file. So I added them, show it below: #File modified by ipa-client-install [libdefaults] default_realm = ARAGON.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] ARAGON.LOCAL = { kdc = ipa.aragon.local:88 admin_server = ipa.aragon.local:749 default_domain = aragon.local } [domain_realm] .aragon.local = ARAGON.LOCAL aragon.local = ARAGON.LOCAL [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } It doesn't work either by using the new krb5.conf. *kinit(v5): Password change failed while getting initial credentials* I'd like to post more detail outputs. Hope it could be helpful. [r...@freeipa ~]# kinit admin Password for ad...@aragon.local: [r...@freeipa ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@aragon.local Valid starting ExpiresService principal 09/23/09 22:52:57 09/24/09 22:52:58 krbtgt/aragon.lo...@aragon.local Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [r...@freeipa ~]# ipa-finduser admin Full Name: Administrator Home Directory: /home/admin Login Shell: /bin/bash Login: admin [r...@freeipa ~]# ipa-finduser haha Full Name: haha haha Home Directory: /home/haha Login Shell: /bin/sh Login: haha Regards, Michael On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang wxi...@gmail.com wrote: Here is client's krb5.conf: #File modified by ipa-client-install [libdefaults] default_realm = ARAGON.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } EOF On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau jgali...@redhat.com wrote: Michael Kang wrote: Dear FreeIPA community, I did try set the new user's initial password. But it didn't work either. I got a protocol error. Here is the output of console : [r...@freeipa ~]# kinit admin Password for ad...@aragon.local: [r...@freeipa ~]# ipa-passwd haha Changing password for h...@aragon.local New Password: Confirm Password: [r...@freeipa ~]# kinit haha Password for h...@aragon.local: Password expired. You must change it now. Enter new password: Enter it again: kinit(v5): Requested protocol version not supported while getting initial credentials Sounds like, a Kerberos V4 request was sent to the KDC? What's in the client's krb5.conf? Jenny On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau jgali...@redhat.com mailto: jgali...@redhat.com wrote: Jenny Galipeau wrote: Michael Kang wrote: Dear FreeIPA community, I successfully installed FreeIPA this morning. Now I got a problem about Kerberos Authentication. New user cannot modify their password in shell. Hi Michael: Did you set the new user's initial password? kinit admin ipa passwd haha Thanks Jenny Also kinit as haha, because haha will be asked to change the password on first authentication. Thanks Jenny I added a new user named /haha(group: ipauser)/ based on the webUI. This user is not a existed system user. Then I added a new Delegations(allow people in group ipauser can modify password for group ipauser) . /[mich...@freeipa Desktop]$ su - haha/ /Password: / /Warning: Your password will expire in less than one hour./ /Warning: password has expired./ /Kerberos 5 Password: / /Warning: Your password will expire in less than one hour./ /New UNIX password: / /Retype new UNIX password: / /su: incorrect password/ /[mich...@freeipa Desktop]$ su - root/ /Password: / /[r...@freeipa ~]# su - haha/ /su: warning: cannot change directory to /home/haha: No such file or directory/ /-sh-3.2$ / Root can su - haha successfully. I think that means the Kerberos works, but new user cannot reset their password in their shell. What should I do? Best Regards, Michael --