I was mistaken. The password change from the ui works well. Thanks again for your help.
2012/9/21 James James <[email protected]> > This is my krb5kdc.log ... > > Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes > {18 17 16 23}) 129.104.11.85: CLIENT KEY EXPIRED: [email protected] > IQUE.FR for krbtgt/[email protected], Password has expired > Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes > {18 17 16 23}) 129.104.11.85: NEEDED_PREAUTH: [email protected] for kadmin/ > [email protected], Additional pre-authentication required > Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes > {18 17 16 23}) 129.104.11.85: ISSUE: authtime 1348178594, etypes {rep=18 > tkt=18 ses=18}, [email protected] for kadmin/[email protected] > Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): TGS_REQ (4 etypes > {18 17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18 > tkt=18 ses=18}, HTTP/[email protected] for ldap/ > [email protected] > Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): ... > CONSTRAINED-DELEGATION [email protected] > Sep 21 00:05:08 ipa.example.com krb5kdc[22843](info): TGS_REQ (4 etypes > {18 17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18 > tkt=18 ses=18}, HTTP/[email protected] for ldap/ > [email protected] > > > Thanks > > > 2012/9/21 James James <[email protected]> > >> Now, I can read the userPassword field (after the migration process) but >> I still can't change my password from the ui. I just got : >> >> kerberos ticket is no longer valid. >> >> >> >> 2012/9/20 James James <[email protected]> >> >>> It will be fine to have this info in the doc. >>> >>> >>> 2012/9/20 Rob Crittenden <[email protected]> >>> >>>> Dmitri Pal wrote: >>>> >>>>> On 09/20/2012 01:42 PM, Rob Crittenden wrote: >>>>> >>>>>> James James wrote: >>>>>> >>>>>>> You 're right. The request return : >>>>>>> >>>>>>> Enter LDAP Password: >>>>>>> # extended LDIF >>>>>>> # >>>>>>> # LDAPv3 >>>>>>> # base <cn=users,cn=accounts,dc=**example,dc=com> with scope subtree >>>>>>> # filter: uid=test >>>>>>> # requesting: userPassword >>>>>>> # >>>>>>> >>>>>>> # test, users, accounts, example.com <http://example.com> >>>>>>> dn: uid=test,cn=users,cn=accounts,**dc=example,dc=com >>>>>>> >>>>>>> # search result >>>>>>> search: 2 >>>>>>> result: 0 Success >>>>>>> >>>>>>> Can you explain me what happens ? >>>>>>> >>>>>>> Is there a solution ? >>>>>>> >>>>>> >>>>>> When migrating you need to bind as a user that has read permission on >>>>>> the userPassword attribute in the remote LDAP server. >>>>>> >>>>> >>>>> Rob should we check if we can read the userPassword attribute and if >>>>> not >>>>> fail migration? >>>>> Should we open a ticket for this? >>>>> Also I do not think we document the expectation that you vocalized >>>>> above. >>>>> >>>> >>>> I'll open a ticket to spell this out in the docs. >>>> >>>> Checking it in the command would be nice but I don't know about fatal. >>>> Still, I'll open a ticket for that as well. >>>> >>>> rob >>>> >>> >>> >> >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
