[Freeipa-devel] Password expired on new user

Simo Sorce ssorce at redhat.com
Tue Dec 4 13:16:56 UTC 2007 

On Tue, 2007-12-04 at 14:47 +1000, David O'Brien wrote:
> Simo Sorce wrote:
> 
> <snip>
> 
> >>> I'd like to see you do a login on a client though, not a kinit
> >>>
> >> Not sure what you mean. You mean install the client and just navigate
> >> straight to the server without running kinit?  I expect this is to see
> >> if it prompts for a username/password. I haven't installed a client yet.
> >> I'll do that tomorrow.
> > 
> > I mean running ipa-client-install on a client machine and do a real GDM
> > login (after a reboot).
> > 
> > Simo.
> > 
> Point of confusion: (sorry if I'm a bit slow here...)
> 
> If I have ipa-client installed and everything set up properly, I should
> be able to log in to the box and authenticate against the ipa-server?
> e.g. as ipa-User/password, not using a local account? Wouldn't I need to
> modify system-config-auth to do that? Or is that supposed to occur as
> part of the client install/config?

its the whole point of ipa-client-install

> Currrently:
> I have a client installed, but I'm not 100% confident with it. I hosed
> my DNS so I'm using /etc/hosts for name resolution. There were a couple
> of errors at the end of the client install possibly related to that.
> It's disappeared now (rebooted) and there's no ipa-error.log

I want to know the errors.

> After the install I did kinit admin at AUSTRALIA.COM just to make sure I
> could talk to the server and get a ticket. Then I set up firefox.
> 
> I rebooted and tried to do a GDM login as <ipa-user> but that failed.
> Also tried <ipa-admin> without success.
> 
> I logged in as a local user, enabled Kerberos authentication
> (system-config-authentication) and logged out. Tried to log in again as
> above, but haven't had any success there either. Is this the way it's
> supposed to work?
> 
> I'm now logged in to the machine as "redhat", started up firefox,
> navigated to darwin.australia.com (server) and got Kerberos auth
> failure. I suppose it's trying to authenticate as "redhat" so that's
> going to fail.
> 
> I added redhat as a user on the ipa server, logged out on the client,
> logged in as redhat and again went to darwin.australia.com. Kerberos
> auth failure again. I ran kinit redhat at AUSTRALIA.COM and was then able
> to get to the webUI ok.
> 
> I know this is getting long-winded, but at the end of the day, I should
> be able to create "newuser" on the IPA server, install ipa-client on a
> separate box, and then log in to that box as "newuser", irrespective of
> whether or not "newuser" has a local account?

Yes.

Simo.

-- 
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |

More information about the Freeipa-devel mailing list