This is my krb5kdc.log ...
Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: CLIENT KEY EXPIRED: [email protected]
IQUE.FR for krbtgt/[email protected], Password has expired
Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: NEEDED_PREAUTH: [email protected] for kadmin/
[email protected], Additional pre-authentication required
Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: ISSUE: authtime 1348178594, etypes {rep=18 tkt=18
ses=18}, [email protected] for kadmin/[email protected]
Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): TGS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18 tkt=18
ses=18}, HTTP/[email protected] for ldap/
[email protected]
Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): ...
CONSTRAINED-DELEGATION [email protected]
Sep 21 00:05:08 ipa.example.com krb5kdc[22843](info): TGS_REQ (4 etypes {18
17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18 tkt=18
ses=18}, HTTP/[email protected] for ldap/
[email protected]
Thanks
2012/9/21 James James <[email protected]>
> Now, I can read the userPassword field (after the migration process) but I
> still can't change my password from the ui. I just got :
>
> kerberos ticket is no longer valid.
>
>
>
> 2012/9/20 James James <[email protected]>
>
>> It will be fine to have this info in the doc.
>>
>>
>> 2012/9/20 Rob Crittenden <[email protected]>
>>
>>> Dmitri Pal wrote:
>>>
>>>> On 09/20/2012 01:42 PM, Rob Crittenden wrote:
>>>>
>>>>> James James wrote:
>>>>>
>>>>>> You 're right. The request return :
>>>>>>
>>>>>> Enter LDAP Password:
>>>>>> # extended LDIF
>>>>>> #
>>>>>> # LDAPv3
>>>>>> # base <cn=users,cn=accounts,dc=**example,dc=com> with scope subtree
>>>>>> # filter: uid=test
>>>>>> # requesting: userPassword
>>>>>> #
>>>>>>
>>>>>> # test, users, accounts, example.com <http://example.com>
>>>>>> dn: uid=test,cn=users,cn=accounts,**dc=example,dc=com
>>>>>>
>>>>>> # search result
>>>>>> search: 2
>>>>>> result: 0 Success
>>>>>>
>>>>>> Can you explain me what happens ?
>>>>>>
>>>>>> Is there a solution ?
>>>>>>
>>>>>
>>>>> When migrating you need to bind as a user that has read permission on
>>>>> the userPassword attribute in the remote LDAP server.
>>>>>
>>>>
>>>> Rob should we check if we can read the userPassword attribute and if not
>>>> fail migration?
>>>> Should we open a ticket for this?
>>>> Also I do not think we document the expectation that you vocalized
>>>> above.
>>>>
>>>
>>> I'll open a ticket to spell this out in the docs.
>>>
>>> Checking it in the command would be nice but I don't know about fatal.
>>> Still, I'll open a ticket for that as well.
>>>
>>> rob
>>>
>>
>>
>
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
