Hi, I apologize for not reporting my information on the list earlier.
I have a working installation of FreeIPA v.1 and a few days ago I added a F13 client. I've installed everything from official repos. SSSD caused problems because ipa-client-install made a 'default' domain in sssd.conf and sssd was looking for SRV records in DNS for LDAP and KDC with '.default' suffix. There are no such records and other FreeIPA clients are happy with that so I add those lines to sssd.conf [domain/default] .... krb5_kdcip = XXX.XXX.XXX.XXX ldap_uri = ldap://ldap.example.com .... Kostya On Mon, 07 Jun 2010 10:04:19 -0400 Stephen Gallagher <[email protected]> wrote: > On 06/06/2010 06:06 PM, James Po wrote: > > I've installed (from yum) on fedora 13, created a user but cannot > > ssh in as that user - it fails to reset the password. > > > > I've disabled iptables& SELinux (for testing purposes) to no avail. > > > > > > macbook:~ james$ ssh [email protected] > > [email protected]'s password: > > Warning: Your password will expire in less than one hour. > > Password expired. Change your password now. > > Last login: Sun Jun 6 22:25:17 2010 from 192.168.5.249 > > WARNING: Your password has expired. > > You must change your password now and login again! > > Changing password for user bshit. > > Current Password: > > New password: > > Retype new password: > > Warning: Your password will expire in less than one hour. > > Warning: Your password will expire in less than one hour. > > passwd: Authentication token manipulation error > > Connection to 192.168.5.58 closed. > > > > > > /var/log/secure: > > > > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): system info: > > [Cannot contact any KDC for requested realm] > > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): User info > > message: Warning: Your password will expire in less than one hour. > > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): system info: > > [Cannot contact any KDC for requested realm] > > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): User info > > message: Warning: Your password will expire in less than one hour. > > Jun 6 22:32:30 ipa passwd: pam_sss(passwd:chauthtok): Password > > change failed for user bshit: 22 (Authentication token lock busy) > > Jun 6 22:32:30 ipa passwd: gkr-pam: couldn't update the login > > keyring password: no old password was entered > > Jun 6 22:32:32 ipa sshd[1635]: pam_unix(sshd:session): session > > closed for user bshit > > > > > > /var/log/krb5kdc.log: > > > > Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): > > AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: NEEDED_PREAUTH: > > [email protected] for > > kadmin/[email protected], Additional > > pre-authentication required > > Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): > > AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: ISSUE: authtime > > 1275859950, etypes {rep=18 tkt=18 ses=18}, > > [email protected] for > > kadmin/[email protected] > > Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): > > AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: NEEDED_PREAUTH: > > [email protected] for > > kadmin/[email protected], Additional > > pre-authentication required > > Jun 06 22:32:30 ipa.dev.webscalability.com krb5kdc[1349](info): > > AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.5.58: ISSUE: authtime > > 1275859950, etypes {rep=18 tkt=18 ses=18}, > > [email protected] for > > kadmin/[email protected] > > > This looks like an error in the SSSD. Could you > edit /etc/sssd/sssd.conf and change debug_level=0 to debug_level=9 > and then try this again. Then examine /var/log/sssd/krb5_child.log > and /var/log/sssd/sssd_<your_domain>.log for clues? > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
