[Freeipa-users] pam settings for changing password under FreeIPA

Simo Sorce ssorce at redhat.com
Fri Oct 24 12:17:53 UTC 2008


On Fri, 2008-10-24 at 12:38 +0100, Nick Gresham wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> > 
> > So it works on a SuSE client but not others, even now?  You can go to
> > non-SuSE and it fails and then go to SuSE and it works?
> > 
> 
> that's right: at present the password changing procedure only works with
> an OpenSuSE client: e.g.
> 
> Password:
> Warning: password has expired.
> New Password:
> Reenter New Password:
> LDAP password information changed for m*****
> Last login: Wed Oct 22 14:03:04 2008 from l***.s****.man.ac.uk
> Have a lot of fun...

This is working because you are doing a password change over ldap and
not using kerberos.

Form the other email I have the impression that your ipa_kpasswd daemon
has an invalid keytab and cannot successfully authenticate to ldap to
perform the password change.

Not sure why that happened.

You might try to use kadmin.local in this case to create a new secret
for kpasswd/changepw at REALM and dump it
in /var/kerberos/krb5kdc/kpasswd.keytab (make sure to copy it on all
servers).

You are the second that seem to have stumbled on this problem, so it
would be nice to know if you did any particular operation right before
that password change mechanism stopped working ?

Simo.




More information about the Freeipa-users mailing list