[Freeipa-users] Cannot contact any KDC for requested realm changing password

Tue Jun 23 05:46:14 UTC 2009

Restart the service ipa-kpasswd

Ismael Puerto

El 23/06/2009, a las 03:25, Robert Marcano <robert at marcanoonline.com>  
escribió:

> This weekend one of our ipa servers was moved from one subnet to
> another new, all IPs, gateways, DNS references (including SRV records
> and reverse records) were changed. Since that change We have this
> problem, It is not possible for any user to change the password using
> kpasswd (or using kinit for an expired password), the error message is
> "Cannot contact any KDC for requested realm changing password",
> everyone can kinit without problems,
>
> [root at ipaserver ~]# kpasswd
> Password for user at MYDOMAIN.COM:
> Enter new password:
> Enter it again:
> kpasswd: Cannot contact any KDC for requested realm changing password
>
> /var/log/krb5kdc.log says (values altered to protect the inocent)
>
> Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 192.168.x.y: NEEDED_PREAUTH:
> user at MYDOMAIN.COM for kadmin/changepw at MYDOMAIN.COM, Additional
> pre-authentication required
> Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 192.168.x.y: NEEDED_PREAUTH:
> user at MYDOMAIN.COM for kadmin/changepw at MYDOMAIN.COM, Additional
> pre-authentication required
> Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 192.168.x.y: ISSUE: authtime 1245705451,
> etypes {rep=18 tkt=18 ses=18}, user at MYDOMAIN.COM for
> kadmin/changepw at MYDOMAIN.COM
> Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 192.168.x.y: ISSUE: authtime 1245705451,
> etypes {rep=18 tkt=18 ses=18}, user at MYDOMAIN.COM for
> kadmin/changepw at MYDOMAIN.COM
>
> In order to discard if it is a firewall problem, we disabled it, and
> tested kpasswd on the same ipa server. We are running with SELinux
> permissive trying to test if it is SELinux related. DNS SRV records
> are being resolved on the IPA server. Running FreeIPA 1.2
>
> This problems looks more Kerberos related than a FreeIPA problem, but
> I am running out of ideas about the probable reason.
>
> Any help is really appreciated
>
> -- 
> Robert Marcano
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

________________________________________________________________________________
ADVERTENCIA LEGAL 
Este mensaje va dirigido, de manera exclusiva, a su destinatario y contiene información confidencial y sujeta al secreto profesional, cuya divulgación no está permitida por la ley. En caso de haber recibido este mensaje por error, le rogamos que, de forma inmediata, nos lo comunique mediante correo electrónico remitido a nuestra atención o a través del teléfono (+ 34) 915 943 776 y proceda a su eliminación, así como a la de cualquier documento adjunto al mismo. Asímismo, le comunicamos que la distribución, copia o utilización de este mensaje, o de cualquier documento adjunto al mismo, cualquiera que fuera su finalidad, están prohibidas por la ley. 

Le informamos, como destinatario de este mensaje, que el correo electrónico y las comunicaciones por medio de Internet no permiten asegurar ni garantizar la confidencialidad de los mensajes transmitidos, así como tampoco su integridad o su correcta recepción, por lo que el emisor no asume responsabilidad alguna por tales circunstancias. Si no consintiese en la utilización del correo electrónico o de las comunicaciones vía Internet le rogamos nos lo comunique y ponga en nuestro conocimiento de manera inmediata. 
________________________________________________________________________________

PRIVILEGED AND CONFIDENTIAL 
This message is intended exclusively for the person to whom it is addressed and contains privileged and confidential information protected from disclosure by law. If you are not the addressee indicated in this message, you should immediately delete it and any attachments and notify the sender by reply e-mail or by phone(+ 34) 915 943 776. In such case, you are hereby notified that any dissemination, distribution, copying or use of this message or any attachments, for any purpose, is strictly prohibited by law. 
We hereby inform you, as addressee of this message, that e-mail and Internet do not guarantee the confidentiality, nor the completeness or proper reception of the messages sent and, thus, the sender does not assume any liability for those circumstances. Should you not agree to the use of e-mail or to communications via Internet, you are kindly requested to notify us immediately. 