[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Fwd: [Freeipa-users] Problem with Kerberos Authentication





---------- Forwarded message ----------
From: Michael Kang <wxiluo gmail com>
Date: Fri, Sep 25, 2009 at 4:09 PM
Subject: Re: [Freeipa-users] Problem with Kerberos Authentication
To: Jenny Galipeau <jgalipea redhat com>


Dear Jenny Galipeau,

Thank you and Everyone who helped me with this project. Thanks for being patient and answering my questions :)

My problem was solved by using Fedora 11(upgraded completely). FreeIPA may have bugs with Fedora 9.

If I install Fedora 11(not upgrade),then install ipa-server, the Apache crashed many times per seconds. Here is log ouputs:
Apache chill pid xxxx exit singal Segmentation fault(11)

After upgrade the whole system, this problem disappeared. Also new user can pass the Kerberos Authentication and login system successfully.

If you want to get the details about bugs on Fedora 9, I could send it for you. Please let me know what do you want.

Thank you again.
Michael


On Thu, Sep 24, 2009 at 8:41 PM, Jenny Galipeau <jgalipea redhat com> wrote:
Hi Michael:

Let's rule in or out the delegation you added. Can you remove the delegation and try it? If it works, I think we may have a bug. If it behaves the same, if you could provide more debug info that would be great.

Thanks
Jenny

Michael Kang wrote:
Hi David,

I reboot the system after I edit the configure file.

Regard,
Michael

On Thu, Sep 24, 2009 at 11:13 AM, David O'Brien <davido redhat com <mailto:davido redhat com>> wrote:

   Michael,
   did you restart the kdc after you updated the krb5.conf file?

   David

   Michael Kang wrote:

       According to the FreeIPA Client Configure Guide, I realized I
       may miss
       something in my client's krb5.conf. It had been created by
       ipa-client-install script. I never edit it. But there are *no*
       *[realms]* and
       *[domain_realm] *in krb5.conf file.

       So I added them, show it below:


           #File modified by ipa-client-install

           [libdefaults]
           default_realm = ARAGON.LOCAL
           dns_lookup_realm = true
           dns_lookup_kdc = true
           ticket_lifetime = 24h
           forwardable = yes

           [realms]
           ARAGON.LOCAL = {
           kdc = ipa.aragon.local:88
           admin_server = ipa.aragon.local:749
           default_domain = aragon.local
           }

           [domain_realm]
           .aragon.local = ARAGON.LOCAL
           aragon.local = ARAGON.LOCAL

           [appdefaults]
           pam = {
           debug = false
           ticket_lifetime = 36000
           renew_lifetime = 36000
           forwardable = true
           krb4_convert = false
           }



       It doesn't work either by using the new krb5.conf.
       *kinit(v5): Password change failed while getting initial
       credentials*

       I'd like to post more detail outputs. Hope it could be helpful.


           [root freeipa ~]# kinit admin
           Password for admin ARAGON LOCAL:
           [root freeipa ~]# klist
           Ticket cache: FILE:/tmp/krb5cc_0
           Default principal: admin ARAGON LOCAL

           Valid starting Expires Service principal
           09/23/09 22:52:57 09/24/09 22:52:58
           krbtgt/ARAGON LOCAL ARAGON LOCAL


           Kerberos 4 ticket cache: /tmp/tkt0
           klist: You have no tickets cached
           [root freeipa ~]# ipa-finduser admin
           Full Name: Administrator
           Home Directory: /home/admin
           Login Shell: /bin/bash
           Login: admin

           [root freeipa ~]# ipa-finduser haha
           Full Name: haha haha
           Home Directory: /home/haha
           Login Shell: /bin/sh
           Login: haha



       Regards,
       Michael

       On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang
       <wxiluo gmail com <mailto:wxiluo gmail com>> wrote:


           Here is client's krb5.conf:

           #File modified by ipa-client-install

               [libdefaults]
               default_realm = ARAGON.LOCAL
               dns_lookup_realm = true
               dns_lookup_kdc = true
               ticket_lifetime = 24h
               forwardable = yes

               [appdefaults]
               pam = {
               debug = false
               ticket_lifetime = 36000
               renew_lifetime = 36000
               forwardable = true
               krb4_convert = false
               }


           EOF


           On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau
           <jgalipea redhat com <mailto:jgalipea redhat com>>wrote:



               Michael Kang wrote:


                   Dear FreeIPA community,

                   I did try set the new user's initial password. But
                   it didn't work either.
                   I got a protocol error.

                   Here is the output of console :

                   [root freeipa ~]# kinit admin
                   Password for admin ARAGON LOCAL:
                   [root freeipa ~]# ipa-passwd haha
                   Changing password for haha ARAGON LOCAL
                   New Password:
                   Confirm Password:
                   [root freeipa ~]# kinit haha
                   Password for haha ARAGON LOCAL:
                   Password expired. You must change it now.
                   Enter new password:
                   Enter it again:
                   kinit(v5): Requested protocol version not
                   supported while getting
                   initial credentials



               Sounds like, a Kerberos V4 request was sent to the
               KDC? What's in the
               client's krb5.conf?
               Jenny


                   On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau
                   <jgalipea redhat com
                   <mailto:jgalipea redhat com><mailto:

                   jgalipea redhat com <mailto:jgalipea redhat com>>>
                   wrote:

                   Jenny Galipeau wrote:


                   Michael Kang wrote:

                   Dear FreeIPA community,

                   I successfully installed FreeIPA this morning. Now
                   I got a
                   problem about Kerberos Authentication. New user cannot
                   modify their password in shell.

                   Hi Michael:
                   Did you set the new user's initial password?
                   kinit admin
                   ipa passwd haha
                   Thanks
                   Jenny

                   Also kinit as haha, because haha will be asked to
                   change the
                   password on first authentication.

                   Thanks
                   Jenny


                   I added a new user named /haha(group: ipauser)/
                   based on
                   the webUI. This user is not a existed system user.
                   Then I
                   added a new Delegations(allow people in group
                   ipauser can
                   modify password for group ipauser) .

                   /[michael freeipa Desktop]$ su - haha/
                   /Password: /

                   /Warning: Your password will expire in less than
                   one hour./
                   /Warning: password has expired./
                   /Kerberos 5 Password: /
                   /Warning: Your password will expire in less than
                   one hour./
                   /New UNIX password: /
                   /Retype new UNIX password: /
                   /su: incorrect password/
                   /[michael freeipa Desktop]$ su - root/
                   /Password: /
                   /[root freeipa ~]# su - haha/
                   /su: warning: cannot change directory to
                   /home/haha: No
                   such file
                   or directory/
                   /-sh-3.2$ /


                   Root can su - haha successfully. I think that
                   means the
                   Kerberos works, but new user cannot reset their
                   password
                   in their shell.

                   What should I do?

                   Best Regards,
                   Michael

                   -- Michael Kang(康上明学)
                   There is a giant asleep within every man. When the
                   giant
                   awakens,miracles happen.

                   Personal blog: http://ufusion.org - United Fusion

                   ------------------------------------------------------------------------

                   _______________________________________________
                   Freeipa-users mailing list
                   Freeipa-users redhat com
                   <mailto:Freeipa-users redhat com>
                   <mailto:Freeipa-users redhat com
                   <mailto:Freeipa-users redhat com>>
                   https://www.redhat.com/mailman/listinfo/freeipa-users





                   -- Jenny Galipeau <jgalipea redhat com
                   <mailto:jgalipea redhat com>
                   <mailto:jgalipea redhat com

                   <mailto:jgalipea redhat com>
                   Principal Software QA Engineer
                   Red Hat, Inc. Security Engineering




                   --
                   Michael Kang(康上明学)
                   There is a giant asleep within every man. When the
                   giant awakens,miracles
                   happen.

                   Personal blog: http://ufusion.org - United Fusion


               --
               Jenny Galipeau <jgalipea redhat com
               <mailto:jgalipea redhat com>>
               Principal Software QA Engineer
               Red Hat, Inc. Security Engineering



           --
           Michael Kang(康上明学)
           There is a giant asleep within every man. When the giant
           awakens,miracles
           happen.

           Personal blog: http://ufusion.org - United Fusion





       ------------------------------------------------------------------------

       _______________________________________________
       Freeipa-users mailing list
       Freeipa-users redhat com <mailto:Freeipa-users redhat com>
       https://www.redhat.com/mailman/listinfo/freeipa-users



   --
   David O'Brien
   IPA Content Author
   Red Hat Asia Pacific
   +61 7 3514 8189

   "The most valuable of all talents is that of never using two words
   when
   one will do."
   Thomas Jefferson




--
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles happen.

Personal blog: http://ufusion.org - United Fusion


--
Jenny Galipeau <jgalipea redhat com>
Principal Software QA Engineer
Red Hat, Inc. Security Engineering




--
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles happen.

Personal blog: http://ufusion.org - United Fusion



--
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles happen.

Personal blog: http://ufusion.org - United Fusion

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]