[Freeipa-users] Problem with FreeIPA v2 and kpasswd on Solaris 10
Rob Crittenden
rcritten at redhat.com
Thu Oct 14 19:50:31 UTC 2010
Rob Crittenden wrote:
> Miljan Karadzic wrote:
>> Hi,
>>
>> I am having problems configuring Solaris 10 client to work with FreeIPA
>> v2 server. Everything seems to be working fine except for password
>> change. When I try to change the password I get this error:
>>
>> $ kpasswd
>> kpasswd: Changing password for user at EXAMPLE.COM.
>> Old password:
>> kpasswd: Cannot establish a session with the Kerberos administrative
>> server for realm EXAMPLE.COM. Database error! Required KADM5 principal
>> missing.
>>
>> In KDC log I can see this entry:
>>
>> AS_REQ (6 etypes {18 17 16 23 3 1}) 10.134.19.22: SERVER_NOT_FOUND:
>> user at EXAMPLE.COM for changepw/freeipa.example.com at EXAMPLE.COM, Server
>> not found in Kerberos database
>>
>> (freeipa.example.com is my FreeIPA server)
>>
>> And this is how it looks like when it's working:
>>
>> AS_REQ (2 etypes {3 1}) 192.101.1.73: NEEDED_PREAUTH: user at EXAMPLE.COM
>> for kadmin/changepw at EXAMPLE.COM, Additional pre-authentication required
>> AS_REQ (2 etypes {3 1}) 192.101.1.73: ISSUE: authtime 1287068308, etypes
>> {rep=3 tkt=18 ses=1}, user at EXAMPLE.COM for kadmin/changepw at EXAMPLE.COM
>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.10.19.35: NEEDED_PREAUTH:
>> kadmin/changepw at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM,
>> Additional pre-authentication required
>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.10.19.35: ISSUE: authtime
>> 1287068319, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at EXAMPLE.COM
>> for krbtgt/EXAMPLE.COM at EXAMPLE.COM
>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.10.19.35: ISSUE: authtime
>> 1287068319, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at EXAMPLE.COM
>> for ldap/freeipa.example.com at EXAMPLE.COM
>>
>> It seems that Solaris is requiring
>> changepw/freeipa.example.com at EXAMPLE.COM Kerberos principal for password
>> changes, instead of kadmin/changepw at EXAMPLE.COM. I have a landscape with
>> AIX, HP-UX, Linux and Solaris servers, and all other systems do not use
>> mentioned principal, so this seems to be something specific to Solaris
>> (or maybe specific to my configuration :)).
>>
>> Is there a way to instruct Kerberos client which principal to use for
>> password changes? Or, if not, how to add the missing principal (I do not
>> see a way of doing it with FreeIPA commands)?
>>
>> Installed software:
>>
>> Client:
>> SUNWkrbr/SUNWkrbu 11.10.0,REV=2005.01.21.16.34
>>
>> Server:
>> 389-ds-base-1.2.6.1-2.fc13.i686
>> ipa-admintools-1.9.0.pre4-0.fc13.i686
>> ipa-client-1.9.0.pre4-0.fc13.i686
>> ipa-python-1.9.0.pre4-0.fc13.i686
>> ipa-server-1.9.0.pre4-0.fc13.i686
>> ipa-server-selinux-1.9.0.pre4-0.fc13.i686
>> krb5-libs-1.7.1-14.fc13.i686
>> krb5-server-1.7.1-14.fc13.i686
>> krb5-server-ldap-1.7.1-14.fc13.i686
>> krb5-workstation-1.7.1-14.fc13.i686
>> pam_krb5-2.3.11-1.fc13.i686
>> python-iniparse-0.4-1.fc13.noarch
>> python-krbV-1.0.90-1.fc13.i686
>>
>> Thanks,
>> Miljan
>
> The good news is that I can reproduce this on my Solaris 10 system. The
> bad news is I'm not sure what the solution is yet. I'll keep looking.
> regards
>
I can't test this completely because for some reason kinit is
segfaulting on my machine. I can get it to use the right principal for
kpasswd though, try adding kpasswd_protocol = SET_CHANGE to your [realm]
section in /etc/krb/krb5.conf, something like:
[realms]
EXAMPLE.COM = {
kdc = freeipa.example.com:88
admin_server = freeipa.example.com:749
kpasswd_protocol = SET_CHANGE
}
rob
More information about the Freeipa-users
mailing list