<div>Here is client's krb5.conf: <br><br></div><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">#File modified by ipa-client-install<br><br>
[libdefaults]<br> default_realm = ARAGON.LOCAL<br> dns_lookup_realm = true<br> dns_lookup_kdc = true<br> ticket_lifetime = 24h<br> forwardable = yes<br><br>[appdefaults]<br> pam = {<br> debug = false<br> ticket_lifetime = 36000<br>
renew_lifetime = 36000<br> forwardable = true<br> krb4_convert = false<br> }<br></blockquote><br>EOF<br><br><div class="gmail_quote">On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau <span dir="ltr"><<a href="mailto:jgalipea@redhat.com">jgalipea@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Michael Kang wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Dear FreeIPA community,<br>
<br><div class="im">
I did try set the new user's initial password. But it didn't work either. I got a protocol error.<br>
<br>
Here is the output of console :<br>
<br>
[root@freeipa ~]# kinit admin<br>
Password for admin@ARAGON.LOCAL:<br>
[root@freeipa ~]# ipa-passwd haha<br>
Changing password for haha@ARAGON.LOCAL<br>
New Password:<br>
Confirm Password:<br>
[root@freeipa ~]# kinit haha<br>
Password for haha@ARAGON.LOCAL:<br>
Password expired. You must change it now.<br>
Enter new password:<br>
Enter it again:<br>
kinit(v5): Requested protocol version not supported while getting<br>
initial credentials<br>
<br>
</div></blockquote>
<br>
Sounds like, a Kerberos V4 request was sent to the KDC? What's in the client's krb5.conf?<br>
Jenny<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><div></div><div class="h5">
<br>
<br>
On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau <<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a> <mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>>> wrote:<br>
<br>
Jenny Galipeau wrote:<br>
<br>
<br>
Michael Kang wrote:<br>
<br>
Dear FreeIPA community,<br>
<br>
I successfully installed FreeIPA this morning. Now I got a<br>
problem about Kerberos Authentication. New user cannot<br>
modify their password in shell.<br>
<br>
Hi Michael:<br>
Did you set the new user's initial password?<br>
kinit admin<br>
ipa passwd haha<br>
Thanks<br>
Jenny<br>
<br>
Also kinit as haha, because haha will be asked to change the<br>
password on first authentication.<br>
<br>
Thanks<br>
Jenny<br>
<br>
<br>
I added a new user named /haha(group: ipauser)/ based on<br>
the webUI. This user is not a existed system user. Then I<br>
added a new Delegations(allow people in group ipauser can<br>
modify password for group ipauser) .<br>
<br>
/[michael@freeipa Desktop]$ su - haha/<br>
/Password: /<br>
<br>
/Warning: Your password will expire in less than one hour./<br>
/Warning: password has expired./<br>
/Kerberos 5 Password: /<br>
/Warning: Your password will expire in less than one hour./<br>
/New UNIX password: /<br>
/Retype new UNIX password: /<br>
/su: incorrect password/<br>
/[michael@freeipa Desktop]$ su - root/<br>
/Password: /<br>
/[root@freeipa ~]# su - haha/<br>
/su: warning: cannot change directory to /home/haha: No<br>
such file<br>
or directory/<br>
/-sh-3.2$ /<br>
<br>
<br>
Root can su - haha successfully. I think that means the<br>
Kerberos works, but new user cannot reset their password<br>
in their shell.<br>
<br>
What should I do?<br>
<br>
Best Regards,<br>
Michael<br>
<br>
-- Michael Kang(康上明学)<br>
There is a giant asleep within every man. When the giant<br>
awakens,miracles happen.<br>
<br>
Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br></div></div>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><div class="im"><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
<br>
<br>
<br></div>
-- Jenny Galipeau <<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a> <mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>>><div class="im"><br>
Principal Software QA Engineer<br>
Red Hat, Inc. Security Engineering<br>
<br>
<br>
<br>
<br>
-- <br>
Michael Kang(康上明学)<br>
There is a giant asleep within every man. When the giant awakens,miracles happen.<br>
<br>
Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion<br>
</div></blockquote><div><div></div><div class="h5">
<br>
<br>
-- <br>
Jenny Galipeau <<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>><br>
Principal Software QA Engineer<br>
Red Hat, Inc. Security Engineering<br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Michael Kang(康上明学)<br>There is a giant asleep within every man. When the giant awakens,miracles happen.<br><br>Personal blog: <a href="http://ufusion.org">http://ufusion.org</a> - United Fusion<br>