[Freeipa-users] Problem with Kerberos Authentication
Michael Kang
wxiluo at gmail.com
Thu Sep 24 02:27:52 UTC 2009
Here is client's krb5.conf:
#File modified by ipa-client-install
>
> [libdefaults]
> default_realm = ARAGON.LOCAL
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
EOF
On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau <jgalipea at redhat.com> wrote:
> Michael Kang wrote:
>
>> Dear FreeIPA community,
>>
>> I did try set the new user's initial password. But it didn't work either.
>> I got a protocol error.
>>
>> Here is the output of console :
>>
>> [root at freeipa ~]# kinit admin
>> Password for admin at ARAGON.LOCAL:
>> [root at freeipa ~]# ipa-passwd haha
>> Changing password for haha at ARAGON.LOCAL
>> New Password:
>> Confirm Password:
>> [root at freeipa ~]# kinit haha
>> Password for haha at ARAGON.LOCAL:
>> Password expired. You must change it now.
>> Enter new password:
>> Enter it again:
>> kinit(v5): Requested protocol version not supported while getting
>> initial credentials
>>
>>
> Sounds like, a Kerberos V4 request was sent to the KDC? What's in the
> client's krb5.conf?
> Jenny
>
>>
>>
>> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau <jgalipea at redhat.com<mailto:
>> jgalipea at redhat.com>> wrote:
>>
>> Jenny Galipeau wrote:
>>
>>
>> Michael Kang wrote:
>>
>> Dear FreeIPA community,
>>
>> I successfully installed FreeIPA this morning. Now I got a
>> problem about Kerberos Authentication. New user cannot
>> modify their password in shell.
>>
>> Hi Michael:
>> Did you set the new user's initial password?
>> kinit admin
>> ipa passwd haha
>> Thanks
>> Jenny
>>
>> Also kinit as haha, because haha will be asked to change the
>> password on first authentication.
>>
>> Thanks
>> Jenny
>>
>>
>> I added a new user named /haha(group: ipauser)/ based on
>> the webUI. This user is not a existed system user. Then I
>> added a new Delegations(allow people in group ipauser can
>> modify password for group ipauser) .
>>
>> /[michael at freeipa Desktop]$ su - haha/
>> /Password: /
>>
>> /Warning: Your password will expire in less than one hour./
>> /Warning: password has expired./
>> /Kerberos 5 Password: /
>> /Warning: Your password will expire in less than one hour./
>> /New UNIX password: /
>> /Retype new UNIX password: /
>> /su: incorrect password/
>> /[michael at freeipa Desktop]$ su - root/
>> /Password: /
>> /[root at freeipa ~]# su - haha/
>> /su: warning: cannot change directory to /home/haha: No
>> such file
>> or directory/
>> /-sh-3.2$ /
>>
>>
>> Root can su - haha successfully. I think that means the
>> Kerberos works, but new user cannot reset their password
>> in their shell.
>>
>> What should I do?
>>
>> Best Regards,
>> Michael
>>
>> -- Michael Kang(康上明学)
>> There is a giant asleep within every man. When the giant
>> awakens,miracles happen.
>>
>> Personal blog: http://ufusion.org - United Fusion
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>>
>>
>> -- Jenny Galipeau <jgalipea at redhat.com <mailto:jgalipea at redhat.com
>> >>
>> Principal Software QA Engineer
>> Red Hat, Inc. Security Engineering
>>
>>
>>
>>
>> --
>> Michael Kang(康上明学)
>> There is a giant asleep within every man. When the giant awakens,miracles
>> happen.
>>
>> Personal blog: http://ufusion.org - United Fusion
>>
>
>
> --
> Jenny Galipeau <jgalipea at redhat.com>
> Principal Software QA Engineer
> Red Hat, Inc. Security Engineering
>
>
--
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles
happen.
Personal blog: http://ufusion.org - United Fusion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090924/f3959dcd/attachment.htm>
More information about the Freeipa-users
mailing list