According to the FreeIPA Client Configure Guide, I realized I may miss something in my client's krb5.conf. It had been created by ipa-client-install script. I never edit it. But there are no [realms] and [domain_realm] in krb5.conf file. So I added them, show it below: <blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">#File modified by ipa-client-install [libdefaults] default_realm = ARAGON.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] ARAGON.LOCAL = { kdc = ipa.aragon.local:88 admin_server = ipa.aragon.local:749 default_domain = aragon.local } [domain_realm] .aragon.local = ARAGON.LOCAL aragon.local = ARAGON.LOCAL [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } </blockquote> It doesn't work either by using the new krb5.conf. kinit(v5): Password change failed while getting initial credentials I'd like to post more detail outputs. Hope it could be helpful. <blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">[root@freeipa ~]# kinit admin Password for admin@ARAGON.LOCAL: [root@freeipa ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@ARAGON.LOCAL Valid starting Expires Service principal 09/23/09 22:52:57 09/24/09 22:52:58 krbtgt/ARAGON.LOCAL@ARAGON.LOCAL Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@freeipa ~]# ipa-finduser admin Full Name: Administrator Home Directory: /home/admin Login Shell: /bin/bash Login: admin [root@freeipa ~]# ipa-finduser haha Full Name: haha haha Home Directory: /home/haha Login Shell: /bin/sh Login: haha </blockquote> Regards, Michael <div class="gmail_quote">On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang <<a href="mailto:wxiluo@gmail.com">wxiluo@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div>Here is client's krb5.conf: </div><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote"> #File modified by ipa-client-install [libdefaults] default_realm = ARAGON.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } </blockquote> EOF<div><div></div><div class="h5"> <div class="gmail_quote">On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau <<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Michael Kang wrote: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Dear FreeIPA community, <div> I did try set the new user's initial password. But it didn't work either. I got a protocol error. Here is the output of console : [root@freeipa ~]# kinit admin Password for admin@ARAGON.LOCAL: [root@freeipa ~]# ipa-passwd haha Changing password for haha@ARAGON.LOCAL New Password: Confirm Password: [root@freeipa ~]# kinit haha Password for haha@ARAGON.LOCAL: Password expired. You must change it now. Enter new password: Enter it again: kinit(v5): Requested protocol version not supported while getting initial credentials </div></blockquote> Sounds like, a Kerberos V4 request was sent to the KDC? What's in the client's krb5.conf? Jenny <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><div></div><div> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau <<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a> <mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>>> wrote: Jenny Galipeau wrote: Michael Kang wrote: Dear FreeIPA community, I successfully installed FreeIPA this morning. Now I got a problem about Kerberos Authentication. New user cannot modify their password in shell. Hi Michael: Did you set the new user's initial password? kinit admin ipa passwd haha Thanks Jenny Also kinit as haha, because haha will be asked to change the password on first authentication. Thanks Jenny I added a new user named /haha(group: ipauser)/ based on the webUI. This user is not a existed system user. Then I added a new Delegations(allow people in group ipauser can modify password for group ipauser) . /[michael@freeipa Desktop]$ su - haha/ /Password: / /Warning: Your password will expire in less than one hour./ /Warning: password has expired./ /Kerberos 5 Password: / /Warning: Your password will expire in less than one hour./ /New UNIX password: / /Retype new UNIX password: / /su: incorrect password/ /[michael@freeipa Desktop]$ su - root/ /Password: / /[root@freeipa ~]# su - haha/ /su: warning: cannot change directory to /home/haha: No such file or directory/ /-sh-3.2$ / Root can su - haha successfully. I think that means the Kerberos works, but new user cannot reset their password in their shell. What should I do? Best Regards, Michael -- Michael Kang（康上明学） There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion ------------------------------------------------------------------------ _______________________________________________ Freeipa-users mailing list </div></div> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><div> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </div> -- Jenny Galipeau <<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a> <mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>>><div> Principal Software QA Engineer Red Hat, Inc. Security Engineering -- Michael Kang（康上明学） There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion </div></blockquote><div><div></div><div> -- Jenny Galipeau <<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>> Principal Software QA Engineer Red Hat, Inc. Security Engineering </div></div></blockquote></div> -- Michael Kang（康上明学） There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion </div></div></blockquote></div> -- Michael Kang（康上明学） There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: <a href="http://ufusion.org">http://ufusion.org</a> - United Fusion