[Freeipa-users] Ipa migration, from ui cannot change password
James James
jreg2k at gmail.com
Thu Sep 20 22:18:37 UTC 2012
This is my krb5kdc.log ...
Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: CLIENT KEY EXPIRED: test at LIX.POLYTECHN
IQUE.FR for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Password has expired
Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: NEEDED_PREAUTH: test at EXAMPLE.COM for kadmin/
changepw at EXAMPLE.COM, Additional pre-authentication required
Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: ISSUE: authtime 1348178594, etypes {rep=18 tkt=18
ses=18}, test at EXAMPLE.COM for kadmin/changepw at EXAMPLE.COM
Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): TGS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18 tkt=18
ses=18}, HTTP/ipa.example.com at EXAMPLE.COM for ldap/
ipa.example.com at EXAMPLE.COM
Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): ...
CONSTRAINED-DELEGATION s4u-client=admin at EXAMPLE.COM
Sep 21 00:05:08 ipa.example.com krb5kdc[22843](info): TGS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18 tkt=18
ses=18}, HTTP/ipa.example.com at EXAMPLE.COM for ldap/
ipa.example.com at EXAMPLE.COM
Thanks
2012/9/21 James James <jreg2k at gmail.com>
> Now, I can read the userPassword field (after the migration process) but I
> still can't change my password from the ui. I just got :
>
> kerberos ticket is no longer valid.
>
>
>
> 2012/9/20 James James <jreg2k at gmail.com>
>
>> It will be fine to have this info in the doc.
>>
>>
>> 2012/9/20 Rob Crittenden <rcritten at redhat.com>
>>
>>> Dmitri Pal wrote:
>>>
>>>> On 09/20/2012 01:42 PM, Rob Crittenden wrote:
>>>>
>>>>> James James wrote:
>>>>>
>>>>>> You 're right. The request return :
>>>>>>
>>>>>> Enter LDAP Password:
>>>>>> # extended LDIF
>>>>>> #
>>>>>> # LDAPv3
>>>>>> # base <cn=users,cn=accounts,dc=**example,dc=com> with scope subtree
>>>>>> # filter: uid=test
>>>>>> # requesting: userPassword
>>>>>> #
>>>>>>
>>>>>> # test, users, accounts, example.com <http://example.com>
>>>>>> dn: uid=test,cn=users,cn=accounts,**dc=example,dc=com
>>>>>>
>>>>>> # search result
>>>>>> search: 2
>>>>>> result: 0 Success
>>>>>>
>>>>>> Can you explain me what happens ?
>>>>>>
>>>>>> Is there a solution ?
>>>>>>
>>>>>
>>>>> When migrating you need to bind as a user that has read permission on
>>>>> the userPassword attribute in the remote LDAP server.
>>>>>
>>>>
>>>> Rob should we check if we can read the userPassword attribute and if not
>>>> fail migration?
>>>> Should we open a ticket for this?
>>>> Also I do not think we document the expectation that you vocalized
>>>> above.
>>>>
>>>
>>> I'll open a ticket to spell this out in the docs.
>>>
>>> Checking it in the command would be nice but I don't know about fatal.
>>> Still, I'll open a ticket for that as well.
>>>
>>> rob
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120921/4277775d/attachment.htm>
More information about the Freeipa-users
mailing list