[Freeipa-users] Cannot contact any KDC for requested realm changing password

Robert Marcano robert at marcanoonline.com
Tue Jun 23 01:25:20 UTC 2009 

This weekend one of our ipa servers was moved from one subnet to
another new, all IPs, gateways, DNS references (including SRV records
and reverse records) were changed. Since that change We have this
problem, It is not possible for any user to change the password using
kpasswd (or using kinit for an expired password), the error message is
"Cannot contact any KDC for requested realm changing password",
everyone can kinit without problems,

[root at ipaserver ~]# kpasswd
Password for user at MYDOMAIN.COM:
Enter new password:
Enter it again:
kpasswd: Cannot contact any KDC for requested realm changing password

/var/log/krb5kdc.log says (values altered to protect the inocent)

Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.x.y: NEEDED_PREAUTH:
user at MYDOMAIN.COM for kadmin/changepw at MYDOMAIN.COM, Additional
pre-authentication required
Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.x.y: NEEDED_PREAUTH:
user at MYDOMAIN.COM for kadmin/changepw at MYDOMAIN.COM, Additional
pre-authentication required
Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.x.y: ISSUE: authtime 1245705451,
etypes {rep=18 tkt=18 ses=18}, user at MYDOMAIN.COM for
kadmin/changepw at MYDOMAIN.COM
Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.x.y: ISSUE: authtime 1245705451,
etypes {rep=18 tkt=18 ses=18}, user at MYDOMAIN.COM for
kadmin/changepw at MYDOMAIN.COM

In order to discard if it is a firewall problem, we disabled it, and
tested kpasswd on the same ipa server. We are running with SELinux
permissive trying to test if it is SELinux related. DNS SRV records
are being resolved on the IPA server. Running FreeIPA 1.2

This problems looks more Kerberos related than a FreeIPA problem, but
I am running out of ideas about the probable reason.

Any help is really appreciated

-- 
Robert Marcano

More information about the Freeipa-users mailing list