[Freeipa-devel] Password expired on new user

David O'Brien david.obrien at redhat.com
Tue Dec 4 04:47:39 UTC 2007 

Simo Sorce wrote:

<snip>

>>> I'd like to see you do a login on a client though, not a kinit
>>>
>> Not sure what you mean. You mean install the client and just navigate
>> straight to the server without running kinit?  I expect this is to see
>> if it prompts for a username/password. I haven't installed a client yet.
>> I'll do that tomorrow.
> 
> I mean running ipa-client-install on a client machine and do a real GDM
> login (after a reboot).
> 
> Simo.
> 
Point of confusion: (sorry if I'm a bit slow here...)

If I have ipa-client installed and everything set up properly, I should
be able to log in to the box and authenticate against the ipa-server?
e.g. as ipa-User/password, not using a local account? Wouldn't I need to
modify system-config-auth to do that? Or is that supposed to occur as
part of the client install/config?

Currrently:
I have a client installed, but I'm not 100% confident with it. I hosed
my DNS so I'm using /etc/hosts for name resolution. There were a couple
of errors at the end of the client install possibly related to that.
It's disappeared now (rebooted) and there's no ipa-error.log

After the install I did kinit admin at AUSTRALIA.COM just to make sure I
could talk to the server and get a ticket. Then I set up firefox.

I rebooted and tried to do a GDM login as <ipa-user> but that failed.
Also tried <ipa-admin> without success.

I logged in as a local user, enabled Kerberos authentication
(system-config-authentication) and logged out. Tried to log in again as
above, but haven't had any success there either. Is this the way it's
supposed to work?

I'm now logged in to the machine as "redhat", started up firefox,
navigated to darwin.australia.com (server) and got Kerberos auth
failure. I suppose it's trying to authenticate as "redhat" so that's
going to fail.

I added redhat as a user on the ipa server, logged out on the client,
logged in as redhat and again went to darwin.australia.com. Kerberos
auth failure again. I ran kinit redhat at AUSTRALIA.COM and was then able
to get to the webUI ok.

I know this is getting long-winded, but at the end of the day, I should
be able to create "newuser" on the IPA server, install ipa-client on a
separate box, and then log in to that box as "newuser", irrespective of
whether or not "newuser" has a local account?

thanks for your patience
-- 

David O'Brien <mailto:daobrien at redhat.com>
RHCT
PGP-KeyID: 0x443CBA7B


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071204/2d3a69a9/attachment.sig>

More information about the Freeipa-devel mailing list