Hi David, I reboot the system after I edit the configure file.
Regard, Michael On Thu, Sep 24, 2009 at 11:13 AM, David O'Brien <[email protected]> wrote: > Michael, > did you restart the kdc after you updated the krb5.conf file? > > David > > Michael Kang wrote: > >> According to the FreeIPA Client Configure Guide, I realized I may miss >> something in my client's krb5.conf. It had been created by >> ipa-client-install script. I never edit it. But there are *no* *[realms]* >> and >> *[domain_realm] *in krb5.conf file. >> >> So I added them, show it below: >> >> >> >>> #File modified by ipa-client-install >>> >>> [libdefaults] >>> default_realm = ARAGON.LOCAL >>> dns_lookup_realm = true >>> dns_lookup_kdc = true >>> ticket_lifetime = 24h >>> forwardable = yes >>> >>> [realms] >>> ARAGON.LOCAL = { >>> kdc = ipa.aragon.local:88 >>> admin_server = ipa.aragon.local:749 >>> default_domain = aragon.local >>> } >>> >>> [domain_realm] >>> .aragon.local = ARAGON.LOCAL >>> aragon.local = ARAGON.LOCAL >>> >>> [appdefaults] >>> pam = { >>> debug = false >>> ticket_lifetime = 36000 >>> renew_lifetime = 36000 >>> forwardable = true >>> krb4_convert = false >>> } >>> >>> >>> >> >> It doesn't work either by using the new krb5.conf. >> *kinit(v5): Password change failed while getting initial credentials* >> >> I'd like to post more detail outputs. Hope it could be helpful. >> >> >> >>> [r...@freeipa ~]# kinit admin >>> Password for [email protected]: >>> [r...@freeipa ~]# klist >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> Default principal: [email protected] >>> >>> Valid starting Expires Service principal >>> 09/23/09 22:52:57 09/24/09 22:52:58 krbtgt/[email protected] >>> >>> >>> Kerberos 4 ticket cache: /tmp/tkt0 >>> klist: You have no tickets cached >>> [r...@freeipa ~]# ipa-finduser admin >>> Full Name: Administrator >>> Home Directory: /home/admin >>> Login Shell: /bin/bash >>> Login: admin >>> >>> [r...@freeipa ~]# ipa-finduser haha >>> Full Name: haha haha >>> Home Directory: /home/haha >>> Login Shell: /bin/sh >>> Login: haha >>> >>> >>> >> >> Regards, >> Michael >> >> On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang <[email protected]> wrote: >> >> >> >>> Here is client's krb5.conf: >>> >>> #File modified by ipa-client-install >>> >>> >>>> [libdefaults] >>>> default_realm = ARAGON.LOCAL >>>> dns_lookup_realm = true >>>> dns_lookup_kdc = true >>>> ticket_lifetime = 24h >>>> forwardable = yes >>>> >>>> [appdefaults] >>>> pam = { >>>> debug = false >>>> ticket_lifetime = 36000 >>>> renew_lifetime = 36000 >>>> forwardable = true >>>> krb4_convert = false >>>> } >>>> >>>> >>>> >>> EOF >>> >>> >>> On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau <[email protected] >>> >wrote: >>> >>> >>> >>>> Michael Kang wrote: >>>> >>>> >>>> >>>>> Dear FreeIPA community, >>>>> >>>>> I did try set the new user's initial password. But it didn't work >>>>> either. >>>>> I got a protocol error. >>>>> >>>>> Here is the output of console : >>>>> >>>>> [r...@freeipa ~]# kinit admin >>>>> Password for [email protected]: >>>>> [r...@freeipa ~]# ipa-passwd haha >>>>> Changing password for [email protected] >>>>> New Password: >>>>> Confirm Password: >>>>> [r...@freeipa ~]# kinit haha >>>>> Password for [email protected]: >>>>> Password expired. You must change it now. >>>>> Enter new password: >>>>> Enter it again: >>>>> kinit(v5): Requested protocol version not supported while getting >>>>> initial credentials >>>>> >>>>> >>>>> >>>>> >>>> Sounds like, a Kerberos V4 request was sent to the KDC? What's in the >>>> client's krb5.conf? >>>> Jenny >>>> >>>> >>>> >>>>> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau <[email protected] >>>>> <mailto: >>>>> [email protected]>> wrote: >>>>> >>>>> Jenny Galipeau wrote: >>>>> >>>>> >>>>> Michael Kang wrote: >>>>> >>>>> Dear FreeIPA community, >>>>> >>>>> I successfully installed FreeIPA this morning. Now I got a >>>>> problem about Kerberos Authentication. New user cannot >>>>> modify their password in shell. >>>>> >>>>> Hi Michael: >>>>> Did you set the new user's initial password? >>>>> kinit admin >>>>> ipa passwd haha >>>>> Thanks >>>>> Jenny >>>>> >>>>> Also kinit as haha, because haha will be asked to change the >>>>> password on first authentication. >>>>> >>>>> Thanks >>>>> Jenny >>>>> >>>>> >>>>> I added a new user named /haha(group: ipauser)/ based on >>>>> the webUI. This user is not a existed system user. Then I >>>>> added a new Delegations(allow people in group ipauser can >>>>> modify password for group ipauser) . >>>>> >>>>> /[mich...@freeipa Desktop]$ su - haha/ >>>>> /Password: / >>>>> >>>>> /Warning: Your password will expire in less than one hour./ >>>>> /Warning: password has expired./ >>>>> /Kerberos 5 Password: / >>>>> /Warning: Your password will expire in less than one hour./ >>>>> /New UNIX password: / >>>>> /Retype new UNIX password: / >>>>> /su: incorrect password/ >>>>> /[mich...@freeipa Desktop]$ su - root/ >>>>> /Password: / >>>>> /[r...@freeipa ~]# su - haha/ >>>>> /su: warning: cannot change directory to /home/haha: No >>>>> such file >>>>> or directory/ >>>>> /-sh-3.2$ / >>>>> >>>>> >>>>> Root can su - haha successfully. I think that means the >>>>> Kerberos works, but new user cannot reset their password >>>>> in their shell. >>>>> >>>>> What should I do? >>>>> >>>>> Best Regards, >>>>> Michael >>>>> >>>>> -- Michael Kang(康上明学) >>>>> There is a giant asleep within every man. When the giant >>>>> awakens,miracles happen. >>>>> >>>>> Personal blog: http://ufusion.org - United Fusion >>>>> >>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> [email protected] <mailto:[email protected]> >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- Jenny Galipeau <[email protected] <mailto: >>>>> [email protected] >>>>> Principal Software QA Engineer >>>>> Red Hat, Inc. Security Engineering >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Michael Kang(康上明学) >>>>> There is a giant asleep within every man. When the giant >>>>> awakens,miracles >>>>> happen. >>>>> >>>>> Personal blog: http://ufusion.org - United Fusion >>>>> >>>>> >>>>> >>>> -- >>>> Jenny Galipeau <[email protected]> >>>> Principal Software QA Engineer >>>> Red Hat, Inc. Security Engineering >>>> >>>> >>>> >>>> >>> -- >>> Michael Kang(康上明学) >>> There is a giant asleep within every man. When the giant awakens,miracles >>> happen. >>> >>> Personal blog: http://ufusion.org - United Fusion >>> >>> >>> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > -- > > David O'Brien > IPA Content Author > Red Hat Asia Pacific > +61 7 3514 8189 > > "The most valuable of all talents is that of never using two words when > one will do." > Thomas Jefferson > -- Michael Kang(康上明学) There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
