On 03/22/2011 09:54 AM, Dmitri Pal wrote: > On 03/22/2011 06:11 AM, Andy Singleton wrote: >> Hello, >> >> >> >> I am trying to install a rhel6 machine with the ipa-1.2.2 client. >> >> Everything appears to work fine, with the exception of updating users >> passwords from the client. >> >> >> >> >From the user perspective, I get this: >> >> >> >> Changing password for user andytest. >> >> Kerberos 5 Password: >> >> New password: >> >> Retype new password: >> >> passwd: Authentication token manipulation error >> >> >> >> >From the local secure log, I see this: >> >> >> >> Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user >> "andytest" does not exist in /etc/passwd >> >> Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user >> "andytest" does not exist in /etc/passwd >> >> Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change >> failed for [email protected]: Cannot contact any KDC for >> requested realm >> >> >> >> There are no local or network firewalls between the client and the IPA >> server, and every other piece of IPA functionality appears to work fine. >> >> >> >> On the IPA server itself, I see this in krb5kdc: >> >> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth >> type found: Success >> >> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 >> 17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: [email protected] for >> kadmin/[email protected], Preauthentication failed >> >> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 >> 17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: [email protected] for >> kadmin/[email protected], Additional pre-authentication required >> >> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 >> 17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18 >> tkt=18 ses=18}, [email protected] for >> kadmin/[email protected] >> >> >> >> nsswitch.conf has the usual stuff: >> >> >> >> passwd: files ldap >> >> shadow: files ldap >> >> group: files ldap >> >> >> >> I'm not sure what else to check. >> >> >> >> Andy >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > Sorry, clicked the send button before typed anything. > It looks like this is the result of the OID fix we made some time ago. > We recommend using ipa-client 2.0 with the latest IPA. > The client in RHEL 6.0 has the bug related to password change that > prevents it to work with IPA v2. > There is no fix for 6.0 yet and since ipa-client in RHEL 6.0 is in tech > preview there is no plan to release any asynch errata for it. > RHEL 6.1 will carry the right version of ipa-client. > We might be able to build an upstream version of the ipa-client for RHEL > but not sooner we release the 2.0 (any time now...). > > Please ignore my reply. Mixed the two issues on the list.
> > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
