According to the FreeIPA Client Configure Guide, I realized I may miss
something in my client's krb5.conf. It had been created by
ipa-client-install script. I never edit it. But there are *no* *[realms]* and
*[domain_realm] *in krb5.conf file.
So I added them, show it below:
> #File modified by ipa-client-install
>
> [libdefaults]
> default_realm = ARAGON.LOCAL
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> ARAGON.LOCAL = {
> kdc = ipa.aragon.local:88
> admin_server = ipa.aragon.local:749
> default_domain = aragon.local
> }
>
> [domain_realm]
> .aragon.local = ARAGON.LOCAL
> aragon.local = ARAGON.LOCAL
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
It doesn't work either by using the new krb5.conf.
*kinit(v5): Password change failed while getting initial credentials*
I'd like to post more detail outputs. Hope it could be helpful.
> [r...@freeipa ~]# kinit admin
> Password for [email protected]:
> [r...@freeipa ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: [email protected]
>
> Valid starting Expires Service principal
> 09/23/09 22:52:57 09/24/09 22:52:58 krbtgt/[email protected]
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> [r...@freeipa ~]# ipa-finduser admin
> Full Name: Administrator
> Home Directory: /home/admin
> Login Shell: /bin/bash
> Login: admin
>
> [r...@freeipa ~]# ipa-finduser haha
> Full Name: haha haha
> Home Directory: /home/haha
> Login Shell: /bin/sh
> Login: haha
>
Regards,
Michael
On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang <[email protected]> wrote:
> Here is client's krb5.conf:
>
> #File modified by ipa-client-install
>>
>> [libdefaults]
>> default_realm = ARAGON.LOCAL
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>
> EOF
>
>
> On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau <[email protected]>wrote:
>
>> Michael Kang wrote:
>>
>>> Dear FreeIPA community,
>>>
>>> I did try set the new user's initial password. But it didn't work either.
>>> I got a protocol error.
>>>
>>> Here is the output of console :
>>>
>>> [r...@freeipa ~]# kinit admin
>>> Password for [email protected]:
>>> [r...@freeipa ~]# ipa-passwd haha
>>> Changing password for [email protected]
>>> New Password:
>>> Confirm Password:
>>> [r...@freeipa ~]# kinit haha
>>> Password for [email protected]:
>>> Password expired. You must change it now.
>>> Enter new password:
>>> Enter it again:
>>> kinit(v5): Requested protocol version not supported while getting
>>> initial credentials
>>>
>>>
>> Sounds like, a Kerberos V4 request was sent to the KDC? What's in the
>> client's krb5.conf?
>> Jenny
>>
>>>
>>>
>>> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau <[email protected]<mailto:
>>> [email protected]>> wrote:
>>>
>>> Jenny Galipeau wrote:
>>>
>>>
>>> Michael Kang wrote:
>>>
>>> Dear FreeIPA community,
>>>
>>> I successfully installed FreeIPA this morning. Now I got a
>>> problem about Kerberos Authentication. New user cannot
>>> modify their password in shell.
>>>
>>> Hi Michael:
>>> Did you set the new user's initial password?
>>> kinit admin
>>> ipa passwd haha
>>> Thanks
>>> Jenny
>>>
>>> Also kinit as haha, because haha will be asked to change the
>>> password on first authentication.
>>>
>>> Thanks
>>> Jenny
>>>
>>>
>>> I added a new user named /haha(group: ipauser)/ based on
>>> the webUI. This user is not a existed system user. Then I
>>> added a new Delegations(allow people in group ipauser can
>>> modify password for group ipauser) .
>>>
>>> /[mich...@freeipa Desktop]$ su - haha/
>>> /Password: /
>>>
>>> /Warning: Your password will expire in less than one hour./
>>> /Warning: password has expired./
>>> /Kerberos 5 Password: /
>>> /Warning: Your password will expire in less than one hour./
>>> /New UNIX password: /
>>> /Retype new UNIX password: /
>>> /su: incorrect password/
>>> /[mich...@freeipa Desktop]$ su - root/
>>> /Password: /
>>> /[r...@freeipa ~]# su - haha/
>>> /su: warning: cannot change directory to /home/haha: No
>>> such file
>>> or directory/
>>> /-sh-3.2$ /
>>>
>>>
>>> Root can su - haha successfully. I think that means the
>>> Kerberos works, but new user cannot reset their password
>>> in their shell.
>>>
>>> What should I do?
>>>
>>> Best Regards,
>>> Michael
>>>
>>> -- Michael Kang(康上明学)
>>> There is a giant asleep within every man. When the giant
>>> awakens,miracles happen.
>>>
>>> Personal blog: http://ufusion.org - United Fusion
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> [email protected] <mailto:[email protected]>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>>
>>>
>>> -- Jenny Galipeau <[email protected] <mailto:[email protected]
>>> >>
>>> Principal Software QA Engineer
>>> Red Hat, Inc. Security Engineering
>>>
>>>
>>>
>>>
>>> --
>>> Michael Kang(康上明学)
>>> There is a giant asleep within every man. When the giant awakens,miracles
>>> happen.
>>>
>>> Personal blog: http://ufusion.org - United Fusion
>>>
>>
>>
>> --
>> Jenny Galipeau <[email protected]>
>> Principal Software QA Engineer
>> Red Hat, Inc. Security Engineering
>>
>>
>
>
> --
> Michael Kang(康上明学)
> There is a giant asleep within every man. When the giant awakens,miracles
> happen.
>
> Personal blog: http://ufusion.org - United Fusion
>
--
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles
happen.
Personal blog: http://ufusion.org - United Fusion
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
