According to the FreeIPA Client Configure Guide, I realized I may miss something in my client's krb5.conf. It had been created by ipa-client-install script. I never edit it. But there are <b>no</b> <b><i style="font-family: times new roman,serif;">[realms]</i></b><span style="font-family: times new roman,serif;"> </span>and <b><i style="font-family: times new roman,serif;">[domain_realm]</i> </b>in krb5.conf file.<br>
<br>So I added them, show it below:<br><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">#File modified by ipa-client-install<br><br>[libdefaults]<br>
default_realm = ARAGON.LOCAL<br> dns_lookup_realm = true<br> dns_lookup_kdc = true<br> ticket_lifetime = 24h<br> forwardable = yes<br><br>[realms]<br>ARAGON.LOCAL = {<br> kdc = ipa.aragon.local:88<br> admin_server = ipa.aragon.local:749<br>
default_domain = aragon.local<br> }<br><br>[domain_realm]<br>.aragon.local = ARAGON.LOCAL<br>aragon.local = ARAGON.LOCAL<br><br>[appdefaults]<br> pam = {<br> debug = false<br> ticket_lifetime = 36000<br> renew_lifetime = 36000<br>
forwardable = true<br> krb4_convert = false<br> }<br></blockquote><br>It doesn't work either by using the new krb5.conf.<br><b><i>kinit(v5): Password change failed while getting initial credentials</i></b><br>
<br>I'd like to post more detail outputs. Hope it could be helpful.<br><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">[root@freeipa ~]# kinit admin<br>
Password for admin@ARAGON.LOCAL: <br>[root@freeipa ~]# klist<br>Ticket cache: FILE:/tmp/krb5cc_0<br>Default principal: admin@ARAGON.LOCAL<br><br>Valid starting Expires Service principal<br>09/23/09 22:52:57 09/24/09 22:52:58 krbtgt/ARAGON.LOCAL@ARAGON.LOCAL<br>
<br><br>Kerberos 4 ticket cache: /tmp/tkt0<br>klist: You have no tickets cached<br>[root@freeipa ~]# ipa-finduser admin<br>Full Name: Administrator<br>Home Directory: /home/admin<br>Login Shell: /bin/bash<br>Login: admin<br>
<br>[root@freeipa ~]# ipa-finduser haha<br>Full Name: haha haha<br>Home Directory: /home/haha<br>Login Shell: /bin/sh<br>Login: haha<br></blockquote><br>Regards,<br>Michael<br><br><div class="gmail_quote">On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang <span dir="ltr"><<a href="mailto:wxiluo@gmail.com">wxiluo@gmail.com</a>> </span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div>Here is client's krb5.conf: <br><br></div><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">
#File modified by ipa-client-install<br><br>
[libdefaults]<br> default_realm = ARAGON.LOCAL<br> dns_lookup_realm = true<br> dns_lookup_kdc = true<br> ticket_lifetime = 24h<br> forwardable = yes<br><br>[appdefaults]<br> pam = {<br> debug = false<br> ticket_lifetime = 36000<br>
renew_lifetime = 36000<br> forwardable = true<br> krb4_convert = false<br> }<br></blockquote><br>EOF<div><div></div><div class="h5"><br><br><div class="gmail_quote">On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau <span dir="ltr"><<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Michael Kang wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Dear FreeIPA community,<br>
<br><div>
I did try set the new user's initial password. But it didn't work either. I got a protocol error.<br>
<br>
Here is the output of console :<br>
<br>
[root@freeipa ~]# kinit admin<br>
Password for admin@ARAGON.LOCAL:<br>
[root@freeipa ~]# ipa-passwd haha<br>
Changing password for haha@ARAGON.LOCAL<br>
New Password:<br>
Confirm Password:<br>
[root@freeipa ~]# kinit haha<br>
Password for haha@ARAGON.LOCAL:<br>
Password expired. You must change it now.<br>
Enter new password:<br>
Enter it again:<br>
kinit(v5): Requested protocol version not supported while getting<br>
initial credentials<br>
<br>
</div></blockquote>
<br>
Sounds like, a Kerberos V4 request was sent to the KDC? What's in the client's krb5.conf?<br>
Jenny<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><div></div><div>
<br>
<br>
On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau <<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a> <mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>>> wrote:<br>
<br>
Jenny Galipeau wrote:<br>
<br>
<br>
Michael Kang wrote:<br>
<br>
Dear FreeIPA community,<br>
<br>
I successfully installed FreeIPA this morning. Now I got a<br>
problem about Kerberos Authentication. New user cannot<br>
modify their password in shell.<br>
<br>
Hi Michael:<br>
Did you set the new user's initial password?<br>
kinit admin<br>
ipa passwd haha<br>
Thanks<br>
Jenny<br>
<br>
Also kinit as haha, because haha will be asked to change the<br>
password on first authentication.<br>
<br>
Thanks<br>
Jenny<br>
<br>
<br>
I added a new user named /haha(group: ipauser)/ based on<br>
the webUI. This user is not a existed system user. Then I<br>
added a new Delegations(allow people in group ipauser can<br>
modify password for group ipauser) .<br>
<br>
/[michael@freeipa Desktop]$ su - haha/<br>
/Password: /<br>
<br>
/Warning: Your password will expire in less than one hour./<br>
/Warning: password has expired./<br>
/Kerberos 5 Password: /<br>
/Warning: Your password will expire in less than one hour./<br>
/New UNIX password: /<br>
/Retype new UNIX password: /<br>
/su: incorrect password/<br>
/[michael@freeipa Desktop]$ su - root/<br>
/Password: /<br>
/[root@freeipa ~]# su - haha/<br>
/su: warning: cannot change directory to /home/haha: No<br>
such file<br>
or directory/<br>
/-sh-3.2$ /<br>
<br>
<br>
Root can su - haha successfully. I think that means the<br>
Kerberos works, but new user cannot reset their password<br>
in their shell.<br>
<br>
What should I do?<br>
<br>
Best Regards,<br>
Michael<br>
<br>
-- Michael Kang(康上明学)<br>
There is a giant asleep within every man. When the giant<br>
awakens,miracles happen.<br>
<br>
Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br></div></div>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><div><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
<br>
<br>
<br></div>
-- Jenny Galipeau <<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a> <mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>>><div><br>
Principal Software QA Engineer<br>
Red Hat, Inc. Security Engineering<br>
<br>
<br>
<br>
<br>
-- <br>
Michael Kang(康上明学)<br>
There is a giant asleep within every man. When the giant awakens,miracles happen.<br>
<br>
Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion<br>
</div></blockquote><div><div></div><div>
<br>
<br>
-- <br>
Jenny Galipeau <<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>><br>
Principal Software QA Engineer<br>
Red Hat, Inc. Security Engineering<br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Michael Kang(康上明学)<br>There is a giant asleep within every man. When the giant awakens,miracles happen.<br><br>Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Michael Kang(康上明学)<br>There is a giant asleep within every man. When the giant awakens,miracles happen.<br><br>Personal blog: <a href="http://ufusion.org">http://ufusion.org</a> - United Fusion<br>