Fwd: [Freeipa-users] Problem with Kerberos Authentication
Rob Crittenden
rcritten at redhat.com
Fri Sep 25 13:33:45 UTC 2009
Michael Kang wrote:
>
>
> ---------- Forwarded message ----------
> From: *Michael Kang* <wxiluo at gmail.com <mailto:wxiluo at gmail.com>>
> Date: Fri, Sep 25, 2009 at 4:09 PM
> Subject: Re: [Freeipa-users] Problem with Kerberos Authentication
> To: Jenny Galipeau <jgalipea at redhat.com <mailto:jgalipea at redhat.com>>
>
>
> Dear Jenny Galipeau,
>
> Thank you and Everyone who helped me with this project. Thanks for being
> patient and answering my questions :)
>
> My problem was solved by using Fedora 11(upgraded completely). FreeIPA
> may have bugs with Fedora 9.
>
> If I install Fedora 11(not upgrade),then install ipa-server, the Apache
> crashed many times per seconds. Here is log ouputs:
>
> /Apache chill pid xxxx exit singal Segmentation fault(11)/
Yes, this was a bug in the original NSS package that shipped with F-11.
>
> After upgrade the whole system, this problem disappeared. Also new user
> can pass the Kerberos Authentication and login system successfully.
>
> If you want to get the details about bugs on Fedora 9, I could send it
> for you. Please let me know what do you want.
Fedora 9 isn't supported by Fedora anymore so we don't test on it either.
rob
>
> Thank you again.
> Michael
>
>
> On Thu, Sep 24, 2009 at 8:41 PM, Jenny Galipeau <jgalipea at redhat.com
> <mailto:jgalipea at redhat.com>> wrote:
>
> Hi Michael:
>
> Let's rule in or out the delegation you added. Can you remove the
> delegation and try it? If it works, I think we may have a bug. If it
> behaves the same, if you could provide more debug info that would be
> great.
>
> Thanks
> Jenny
>
> Michael Kang wrote:
>
> Hi David,
>
> I reboot the system after I edit the configure file.
>
> Regard,
> Michael
>
> On Thu, Sep 24, 2009 at 11:13 AM, David O'Brien
> <davido at redhat.com <mailto:davido at redhat.com>
> <mailto:davido at redhat.com <mailto:davido at redhat.com>>> wrote:
>
> Michael,
> did you restart the kdc after you updated the krb5.conf file?
>
> David
>
> Michael Kang wrote:
>
> According to the FreeIPA Client Configure Guide, I realized I
> may miss
> something in my client's krb5.conf. It had been created by
> ipa-client-install script. I never edit it. But there are
> *no*
> *[realms]* and
> *[domain_realm] *in krb5.conf file.
>
> So I added them, show it below:
>
>
> #File modified by ipa-client-install
>
> [libdefaults]
> default_realm = ARAGON.LOCAL
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> ARAGON.LOCAL = {
> kdc = ipa.aragon.local:88
> admin_server = ipa.aragon.local:749
> default_domain = aragon.local
> }
>
> [domain_realm]
> .aragon.local = ARAGON.LOCAL
> aragon.local = ARAGON.LOCAL
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
>
>
> It doesn't work either by using the new krb5.conf.
> *kinit(v5): Password change failed while getting initial
> credentials*
>
> I'd like to post more detail outputs. Hope it could be
> helpful.
>
>
> [root at freeipa ~]# kinit admin
> Password for admin at ARAGON.LOCAL:
> [root at freeipa ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at ARAGON.LOCAL
>
> Valid starting Expires Service principal
> 09/23/09 22:52:57 09/24/09 22:52:58
> krbtgt/ARAGON.LOCAL at ARAGON.LOCAL
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> [root at freeipa ~]# ipa-finduser admin
> Full Name: Administrator
> Home Directory: /home/admin
> Login Shell: /bin/bash
> Login: admin
>
> [root at freeipa ~]# ipa-finduser haha
> Full Name: haha haha
> Home Directory: /home/haha
> Login Shell: /bin/sh
> Login: haha
>
>
>
> Regards,
> Michael
>
> On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang
> <wxiluo at gmail.com <mailto:wxiluo at gmail.com>
> <mailto:wxiluo at gmail.com <mailto:wxiluo at gmail.com>>> wrote:
>
>
> Here is client's krb5.conf:
>
> #File modified by ipa-client-install
>
> [libdefaults]
> default_realm = ARAGON.LOCAL
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
>
> EOF
>
>
> On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau
> <jgalipea at redhat.com <mailto:jgalipea at redhat.com>
> <mailto:jgalipea at redhat.com <mailto:jgalipea at redhat.com>>>wrote:
>
>
>
> Michael Kang wrote:
>
>
> Dear FreeIPA community,
>
> I did try set the new user's initial
> password. But
> it didn't work either.
> I got a protocol error.
>
> Here is the output of console :
>
> [root at freeipa ~]# kinit admin
> Password for admin at ARAGON.LOCAL:
> [root at freeipa ~]# ipa-passwd haha
> Changing password for haha at ARAGON.LOCAL
> New Password:
> Confirm Password:
> [root at freeipa ~]# kinit haha
> Password for haha at ARAGON.LOCAL:
> Password expired. You must change it now.
> Enter new password:
> Enter it again:
> kinit(v5): Requested protocol version not
> supported while getting
> initial credentials
>
>
>
> Sounds like, a Kerberos V4 request was sent to the
> KDC? What's in the
> client's krb5.conf?
> Jenny
>
>
> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau
> <jgalipea at redhat.com <mailto:jgalipea at redhat.com>
> <mailto:jgalipea at redhat.com
> <mailto:jgalipea at redhat.com>><mailto:
>
> jgalipea at redhat.com
> <mailto:jgalipea at redhat.com> <mailto:jgalipea at redhat.com
> <mailto:jgalipea at redhat.com>>>>
> wrote:
>
> Jenny Galipeau wrote:
>
>
> Michael Kang wrote:
>
> Dear FreeIPA community,
>
> I successfully installed FreeIPA this
> morning. Now
> I got a
> problem about Kerberos Authentication. New
> user cannot
> modify their password in shell.
>
> Hi Michael:
> Did you set the new user's initial password?
> kinit admin
> ipa passwd haha
> Thanks
> Jenny
>
> Also kinit as haha, because haha will be asked to
> change the
> password on first authentication.
>
> Thanks
> Jenny
>
>
> I added a new user named /haha(group: ipauser)/
> based on
> the webUI. This user is not a existed system
> user.
> Then I
> added a new Delegations(allow people in group
> ipauser can
> modify password for group ipauser) .
>
> /[michael at freeipa Desktop]$ su - haha/
> /Password: /
>
> /Warning: Your password will expire in less than
> one hour./
> /Warning: password has expired./
> /Kerberos 5 Password: /
> /Warning: Your password will expire in less than
> one hour./
> /New UNIX password: /
> /Retype new UNIX password: /
> /su: incorrect password/
> /[michael at freeipa Desktop]$ su - root/
> /Password: /
> /[root at freeipa ~]# su - haha/
> /su: warning: cannot change directory to
> /home/haha: No
> such file
> or directory/
> /-sh-3.2$ /
>
>
> Root can su - haha successfully. I think that
> means the
> Kerberos works, but new user cannot reset their
> password
> in their shell.
>
> What should I do?
>
> Best Regards,
> Michael
>
> -- Michael Kang(康上明学)
> There is a giant asleep within every man.
> When the
> giant
> awakens,miracles happen.
>
> Personal blog: http://ufusion.org - United Fusion
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>
>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
> -- Jenny Galipeau <jgalipea at redhat.com
> <mailto:jgalipea at redhat.com>
> <mailto:jgalipea at redhat.com
> <mailto:jgalipea at redhat.com>>
> <mailto:jgalipea at redhat.com
> <mailto:jgalipea at redhat.com>
>
> <mailto:jgalipea at redhat.com
> <mailto:jgalipea at redhat.com>>
> Principal Software QA Engineer
> Red Hat, Inc. Security Engineering
>
>
>
>
> --
> Michael Kang(康上明学)
> There is a giant asleep within every man.
> When the
> giant awakens,miracles
> happen.
>
> Personal blog: http://ufusion.org - United Fusion
>
>
> --
> Jenny Galipeau <jgalipea at redhat.com
> <mailto:jgalipea at redhat.com>
> <mailto:jgalipea at redhat.com
> <mailto:jgalipea at redhat.com>>>
> Principal Software QA Engineer
> Red Hat, Inc. Security Engineering
>
>
>
> --
> Michael Kang(康上明学)
> There is a giant asleep within every man. When the giant
> awakens,miracles
> happen.
>
> Personal blog: http://ufusion.org - United Fusion
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> David O'Brien
> IPA Content Author
> Red Hat Asia Pacific
> +61 7 3514 8189
>
> "The most valuable of all talents is that of never using two
> words
> when
> one will do."
> Thomas Jefferson
>
>
>
>
> --
> Michael Kang(康上明学)
> There is a giant asleep within every man. When the giant
> awakens,miracles happen.
>
> Personal blog: http://ufusion.org - United Fusion
>
>
>
> --
> Jenny Galipeau <jgalipea at redhat.com <mailto:jgalipea at redhat.com>>
> Principal Software QA Engineer
> Red Hat, Inc. Security Engineering
>
>
>
>
> --
> Michael Kang(康上明学)
> There is a giant asleep within every man. When the giant
> awakens,miracles happen.
>
> Personal blog: http://ufusion.org - United Fusion
>
>
>
> --
> Michael Kang(康上明学)
> There is a giant asleep within every man. When the giant
> awakens,miracles happen.
>
> Personal blog: http://ufusion.org - United Fusion
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090925/59a6b703/attachment.bin>
More information about the Freeipa-users
mailing list