[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] Trouble with new installation



Alright, now im starting to get somewhere!
kadmin was not running, and I was getting
Jun 04 16:05:00 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: NEEDED_PREAUTH: test MYDOM COM for kadmin/changepw MYDOM COM, Additional pre-authentication required
Jun 04 16:05:00 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: ISSUE: authtime 1244145900, etypes {rep=18 tkt=18 ses=18}, test MYDOM COM for kadmin/changepw MYDOM COM
Jun 04 16:05:08 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: NEEDED_PREAUTH: kadmin/changepw MYDOM COM for krbtgt/MYDOM COM MYDOM COM, Additional pre-authentication required
Jun 04 16:05:08 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: ISSUE: authtime 1244145908, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw MYDOM COM for krbtgt/MYDOM COM MYDOM COM
Jun 04 16:05:08 auth01.mydom.com krb5kdc[4001](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.30.1.53: ISSUE: authtime 1244145908, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw MYDOM COM for ldap/auth01 mydom com MYDOM COM

/sbin/service kadmin start
/sbin/chkconfig kadmin on
now it hangs for a minute when changing the password, and I see the following in /var/log/messages.
Jun  4 16:47:02 auth01 kpasswd[19933]: Unable to read request: Key version number for principal in key table is incorrect
Jun  4 16:47:10 auth01 kpasswd[19935]: Unable to read request: Key version number for principal in key table is incorrect
Jun  4 16:47:19 auth01 kpasswd[19951]: Unable to read request: Key version number for principal in key table is incorrect

Note:  the above messages messages where from using the passwd command.  (In my previous posts i usually try passwd, kpasswd, and ipa-passwd).

I tried again with ipa-passwd and it worked right away!  Did an ldapsearch and can see that my expiration is now 200909...

Thanks everyone for your help with this.

Two more questions while on this topic.
1. Is it to be expected that passwords should be changed using ipa-password and not regular passwd?
2. Is there any documentation that shows the technical layout of how things are supposed to work, including the services and how they all integrate together?   I found a diagram online but it was very top level and didn't explain much more then I could have guessed without any ldap or kerberos experience.  I would create this myself, but I am clearly not the one for the task :)




From: Simo Sorce <ssorce redhat com>
To: Dumbo Q <dumboq yahoo com>
Cc: Christian Horn <chorn fluxcoil net>; freeipa-users redhat com
Sent: Thursday, June 4, 2009 4:15:00 PM
Subject: Re: [Freeipa-users] Trouble with new installation

On Thu, 2009-06-04 at 13:05 -0700, Dumbo Q wrote:
> That had me thinking that maybe the user was not allowed to access the
> specific machine. I've gone through the docs a few times, and cannot
> find where my problem may be.
>
> As a a test i created the following file
> dn: uid=test,cn=users,cn=accounts,dc=mydom,dc=com
> changetype: modify
> replace: krbPasswordExpiration
> krbPasswordExpiration: 20090605194542Z
>
> [root auth01 ~]# ldapmodify -h localhost -xv -D cn="Directory Manager"
> -W -f /root/testexpire.ldif
> ldap_initialize( ldap://localhost )
> Enter LDAP Password:
> replace krbPasswordExpiration:
>        20090605194542Z
> modifying entry "uid=test,cn=users,cn=accounts,dc=mydom,dc=com"
> modify complete
>
>
> The test user was now able to login to the server as i had hoped.
> I ran the 'passwd' command,  entered my kerb pass, then picked a new
> pass.
> /var/log/messages again said:
> Jun  4 15:58:40 auth01 kpasswd[18390]: Unable to bind to ldap server
> Jun  4 15:58:40 auth01 kpasswd[18390]: Server Error while performing
> LDAP password change
>
> what could be going wrong here??
> i also tried running kinit, and then changing the passwd with the same
> results.

Have you tried to start kadmin by chance ?
I think I remember on some older versions the kadmin init script will
heppily generate a new kadmin/changepw secret making the one we stored
in the ipa-kpasswd specific keytab useless.

Can you check if you see errors in krb5kdc.log regarding obtaining a TGT
for kadmin/changepw ?

Simo.


--
Simo Sorce * Red Hat, Inc * New York



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]