[Freeipa-users] Trouble with new installation

Dumbo Q dumboq at yahoo.com
Thu Jun 4 21:31:52 UTC 2009 

"Except that I didn't tell you to start kadmin, I was worried you did :-/"

Doh! I was so excited I damn near skipped through the hallway. Back to the drawing board :)

So I believe i will need to do something like
ipa-getkeytab -s auth01.mydom.com -p  <kpasswd/auth01.. ?? > -k ???

I'm just sure what exactly i broke.






________________________________
From: Simo Sorce <ssorce at redhat.com>
To: Dumbo Q <dumboq at yahoo.com>
Cc: Christian Horn <chorn at fluxcoil.net>; freeipa-users at redhat.com
Sent: Thursday, June 4, 2009 5:20:39 PM
Subject: Re: [Freeipa-users] Trouble with new installation

On Thu, 2009-06-04 at 14:02 -0700, Dumbo Q wrote:
> Alright, now im starting to get somewhere!
> kadmin was not running, and I was getting
> Jun 04 16:05:00 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12
> etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: NEEDED_PREAUTH:
> test at MYDOM.COM for kadmin/changepw at MYDOM.COM, Additional
> pre-authentication required
> Jun 04 16:05:00 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12
> etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: ISSUE: authtime
> 1244145900, etypes {rep=18 tkt=18 ses=18}, test at MYDOM.COM for
> kadmin/changepw at MYDOM.COM
> Jun 04 16:05:08 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12
> etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: NEEDED_PREAUTH:
> kadmin/changepw at MYDOM.COM for krbtgt/MYDOM.COM at MYDOM.COM, Additional
> pre-authentication required
> Jun 04 16:05:08 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12
> etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: ISSUE: authtime
> 1244145908, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at MYDOM.COM
> for krbtgt/MYDOM.COM at MYDOM.COM
> Jun 04 16:05:08 auth01.mydom.com krb5kdc[4001](info): TGS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.30.1.53: ISSUE: authtime 1244145908,
> etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at MYDOM.COM for
> ldap/auth01.mydom.com at MYDOM.COM
> 
> /sbin/service kadmin start
> /sbin/chkconfig kadmin on 
> now it hangs for a minute when changing the password, and I see the
> following in /var/log/messages.
> Jun  4 16:47:02 auth01 kpasswd[19933]: Unable to read request: Key
> version number for principal in key table is incorrect
> Jun  4 16:47:10 auth01 kpasswd[19935]: Unable to read request: Key
> version number for principal in key table is incorrect
> Jun  4 16:47:19 auth01 kpasswd[19951]: Unable to read request: Key
> version number for principal in key table is incorrect
> 
> Note:  the above messages messages where from using the passwd
> command.  (In my previous posts i usually try passwd, kpasswd, and
> ipa-passwd).
> 
> I tried again with ipa-passwd and it worked right away!  Did an
> ldapsearch and can see that my expiration is now 200909...
> 
> Thanks everyone for your help with this.

Except that I didn't tell you to start kadmin, I was worried you did :-/
Now you have broken your installation, you are supposed to use
ipa-kpasswd not kadmin as kadmin has other unwanted properties, like the
fact that it will not create a hash for simple binds to the ldap server,
and will not use the ipa defined password policies.

You will now have to fix the installation so that ipa-kpasswd has the
right keytab.

> Two more questions while on this topic.
> 1. Is it to be expected that passwords should be changed using
> ipa-password and not regular passwd?

no, you should use regular passwd or, at most kpasswd, ipa-passwd is for
admin purposes.

> 2. Is there any documentation that shows the technical layout of how
> things are supposed to work, including the services and how they all
> integrate together?   I found a diagram online but it was very top
> level and didn't explain much more then I could have guessed without
> any ldap or kerberos experience.  I would create this myself, but I am
> clearly not the one for the task :)

All we have is published on freeipa.org sorry.


Simo.



-- 
Simo Sorce * Red Hat, Inc * New York


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090604/67ccb6d8/attachment.htm>

More information about the Freeipa-users mailing list