Thank you for telling my about the NSS package bug.<br><br>FreeIPA works well on Fedora 11 until now. I want to deploy FreeIPA instead of Fedora Directory Server to do identity management in my company. I think there must be many problems and questions which need your help.<br>
<br>Also I'd like to share my journey(FreeIPA exploration) with you guys.<br>Thank you again,<br>Michael<br><br><div class="gmail_quote">On Fri, Sep 25, 2009 at 9:33 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Michael Kang wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im">
<br>
<br>
---------- Forwarded message ----------<br>
From: *Michael Kang* <<a href="mailto:wxiluo@gmail.com" target="_blank">wxiluo@gmail.com</a> <mailto:<a href="mailto:wxiluo@gmail.com" target="_blank">wxiluo@gmail.com</a>>><br>
Date: Fri, Sep 25, 2009 at 4:09 PM<br>
Subject: Re: [Freeipa-users] Problem with Kerberos Authentication<br></div><div class="im">
To: Jenny Galipeau <<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a> <mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>>><br>
<br>
<br>
Dear Jenny Galipeau,<br>
<br>
Thank you and Everyone who helped me with this project. Thanks for being patient and answering my questions :)<br>
<br>
My problem was solved by using Fedora 11(upgraded completely). FreeIPA may have bugs with Fedora 9.<br>
<br>
If I install Fedora 11(not upgrade),then install ipa-server, the Apache crashed many times per seconds. Here is log ouputs:<br>
<br></div>
/Apache chill pid xxxx exit singal Segmentation fault(11)/<br>
</blockquote>
<br>
Yes, this was a bug in the original NSS package that shipped with F-11.<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
After upgrade the whole system, this problem disappeared. Also new user can pass the Kerberos Authentication and login system successfully.<br>
<br>
If you want to get the details about bugs on Fedora 9, I could send it for you. Please let me know what do you want.<br>
</blockquote>
<br></div>
Fedora 9 isn't supported by Fedora anymore so we don't test on it either.<br>
<br>
rob<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
Thank you again.<br>
Michael<div class="im"><br>
<br>
<br>
On Thu, Sep 24, 2009 at 8:41 PM, Jenny Galipeau <<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a> <mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>>> wrote:<br>
<br>
Hi Michael:<br>
<br>
Let's rule in or out the delegation you added. Can you remove the<br>
delegation and try it? If it works, I think we may have a bug. If it<br>
behaves the same, if you could provide more debug info that would be<br>
great.<br>
<br>
Thanks<br>
Jenny<br>
<br>
Michael Kang wrote:<br>
<br>
Hi David,<br>
<br>
I reboot the system after I edit the configure file.<br>
<br>
Regard,<br>
Michael<br>
<br>
On Thu, Sep 24, 2009 at 11:13 AM, David O'Brien<br>
<<a href="mailto:davido@redhat.com" target="_blank">davido@redhat.com</a> <mailto:<a href="mailto:davido@redhat.com" target="_blank">davido@redhat.com</a>><br></div><div><div></div><div class="h5">
<mailto:<a href="mailto:davido@redhat.com" target="_blank">davido@redhat.com</a> <mailto:<a href="mailto:davido@redhat.com" target="_blank">davido@redhat.com</a>>>> wrote:<br>
<br>
Michael,<br>
did you restart the kdc after you updated the krb5.conf file?<br>
<br>
David<br>
<br>
Michael Kang wrote:<br>
<br>
According to the FreeIPA Client Configure Guide, I realized I<br>
may miss<br>
something in my client's krb5.conf. It had been created by<br>
ipa-client-install script. I never edit it. But there are<br>
*no*<br>
*[realms]* and<br>
*[domain_realm] *in krb5.conf file.<br>
<br>
So I added them, show it below:<br>
<br>
<br>
#File modified by ipa-client-install<br>
<br>
[libdefaults]<br>
default_realm = ARAGON.LOCAL<br>
dns_lookup_realm = true<br>
dns_lookup_kdc = true<br>
ticket_lifetime = 24h<br>
forwardable = yes<br>
<br>
[realms]<br>
ARAGON.LOCAL = {<br>
kdc = ipa.aragon.local:88<br>
admin_server = ipa.aragon.local:749<br>
default_domain = aragon.local<br>
}<br>
<br>
[domain_realm]<br>
.aragon.local = ARAGON.LOCAL<br>
aragon.local = ARAGON.LOCAL<br>
<br>
[appdefaults]<br>
pam = {<br>
debug = false<br>
ticket_lifetime = 36000<br>
renew_lifetime = 36000<br>
forwardable = true<br>
krb4_convert = false<br>
}<br>
<br>
<br>
<br>
It doesn't work either by using the new krb5.conf.<br>
*kinit(v5): Password change failed while getting initial<br>
credentials*<br>
<br>
I'd like to post more detail outputs. Hope it could be<br>
helpful.<br>
<br>
<br>
[root@freeipa ~]# kinit admin<br>
Password for admin@ARAGON.LOCAL:<br>
[root@freeipa ~]# klist<br>
Ticket cache: FILE:/tmp/krb5cc_0<br>
Default principal: admin@ARAGON.LOCAL<br>
<br>
Valid starting Expires Service principal<br>
09/23/09 22:52:57 09/24/09 22:52:58<br>
krbtgt/ARAGON.LOCAL@ARAGON.LOCAL<br>
<br>
<br>
Kerberos 4 ticket cache: /tmp/tkt0<br>
klist: You have no tickets cached<br>
[root@freeipa ~]# ipa-finduser admin<br>
Full Name: Administrator<br>
Home Directory: /home/admin<br>
Login Shell: /bin/bash<br>
Login: admin<br>
<br>
[root@freeipa ~]# ipa-finduser haha<br>
Full Name: haha haha<br>
Home Directory: /home/haha<br>
Login Shell: /bin/sh<br>
Login: haha<br>
<br>
<br>
<br>
Regards,<br>
Michael<br>
<br>
On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang<br>
<<a href="mailto:wxiluo@gmail.com" target="_blank">wxiluo@gmail.com</a> <mailto:<a href="mailto:wxiluo@gmail.com" target="_blank">wxiluo@gmail.com</a>><br></div></div><div class="im">
<mailto:<a href="mailto:wxiluo@gmail.com" target="_blank">wxiluo@gmail.com</a> <mailto:<a href="mailto:wxiluo@gmail.com" target="_blank">wxiluo@gmail.com</a>>>> wrote:<br>
<br>
<br>
Here is client's krb5.conf:<br>
<br>
#File modified by ipa-client-install<br>
<br>
[libdefaults]<br>
default_realm = ARAGON.LOCAL<br>
dns_lookup_realm = true<br>
dns_lookup_kdc = true<br>
ticket_lifetime = 24h<br>
forwardable = yes<br>
<br>
[appdefaults]<br>
pam = {<br>
debug = false<br>
ticket_lifetime = 36000<br>
renew_lifetime = 36000<br>
forwardable = true<br>
krb4_convert = false<br>
}<br>
<br>
<br>
EOF<br>
<br>
<br>
On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau<br>
<<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a> <mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>><br></div><div><div></div><div class="h5">
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a> <mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>>>>wrote:<br>
<br>
<br>
<br>
Michael Kang wrote:<br>
<br>
<br>
Dear FreeIPA community,<br>
<br>
I did try set the new user's initial<br>
password. But<br>
it didn't work either.<br>
I got a protocol error.<br>
<br>
Here is the output of console :<br>
<br>
[root@freeipa ~]# kinit admin<br>
Password for admin@ARAGON.LOCAL:<br>
[root@freeipa ~]# ipa-passwd haha<br>
Changing password for haha@ARAGON.LOCAL<br>
New Password:<br>
Confirm Password:<br>
[root@freeipa ~]# kinit haha<br>
Password for haha@ARAGON.LOCAL:<br>
Password expired. You must change it now.<br>
Enter new password:<br>
Enter it again:<br>
kinit(v5): Requested protocol version not<br>
supported while getting<br>
initial credentials<br>
<br>
<br>
<br>
Sounds like, a Kerberos V4 request was sent to the<br>
KDC? What's in the<br>
client's krb5.conf?<br>
Jenny<br>
<br>
<br>
On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau<br>
<<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a> <mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>><br>
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a><br></div></div>
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>>><mailto:<div><div></div><div class="h5"><br>
<br>
<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a><br>
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>> <mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a><br>
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>>>>><br>
wrote:<br>
<br>
Jenny Galipeau wrote:<br>
<br>
<br>
Michael Kang wrote:<br>
<br>
Dear FreeIPA community,<br>
<br>
I successfully installed FreeIPA this<br>
morning. Now<br>
I got a<br>
problem about Kerberos Authentication. New<br>
user cannot<br>
modify their password in shell.<br>
<br>
Hi Michael:<br>
Did you set the new user's initial password?<br>
kinit admin<br>
ipa passwd haha<br>
Thanks<br>
Jenny<br>
<br>
Also kinit as haha, because haha will be asked to<br>
change the<br>
password on first authentication.<br>
<br>
Thanks<br>
Jenny<br>
<br>
<br>
I added a new user named /haha(group: ipauser)/<br>
based on<br>
the webUI. This user is not a existed system<br>
user.<br>
Then I<br>
added a new Delegations(allow people in group<br>
ipauser can<br>
modify password for group ipauser) .<br>
<br>
/[michael@freeipa Desktop]$ su - haha/<br>
/Password: /<br>
<br>
/Warning: Your password will expire in less than<br>
one hour./<br>
/Warning: password has expired./<br>
/Kerberos 5 Password: /<br>
/Warning: Your password will expire in less than<br>
one hour./<br>
/New UNIX password: /<br>
/Retype new UNIX password: /<br>
/su: incorrect password/<br>
/[michael@freeipa Desktop]$ su - root/<br>
/Password: /<br>
/[root@freeipa ~]# su - haha/<br>
/su: warning: cannot change directory to<br>
/home/haha: No<br>
such file<br>
or directory/<br>
/-sh-3.2$ /<br>
<br>
<br>
Root can su - haha successfully. I think that<br>
means the<br>
Kerberos works, but new user cannot reset their<br>
password<br>
in their shell.<br>
<br>
What should I do?<br>
<br>
Best Regards,<br>
Michael<br>
<br>
-- Michael Kang(康上明学)<br>
There is a giant asleep within every man.<br>
When the<br>
giant<br>
awakens,miracles happen.<br>
<br>
Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>>><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
<br>
<br>
<br>
-- Jenny Galipeau <<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a><br>
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>><br>
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a><br>
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>>><br>
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a><br>
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>><br>
<br>
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a><br></div></div><div class="im">
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>>><br>
Principal Software QA Engineer<br>
Red Hat, Inc. Security Engineering<br>
<br>
<br>
<br>
<br>
--<br>
Michael Kang(康上明学)<br>
There is a giant asleep within every man.<br>
When the<br>
giant awakens,miracles<br>
happen.<br>
<br>
Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion<br>
<br>
<br>
--<br>
Jenny Galipeau <<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a><br>
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>><br>
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a><br>
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>>>><br>
Principal Software QA Engineer<br>
Red Hat, Inc. Security Engineering<br>
<br>
<br>
<br>
--<br>
Michael Kang(康上明学)<br>
There is a giant asleep within every man. When the giant<br>
awakens,miracles<br>
happen.<br>
<br>
Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion<br>
<br>
<br>
<br>
<br>
<br></div><div class="im">
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
<br>
--<br></div><div class="im">
David O'Brien<br>
IPA Content Author<br>
Red Hat Asia Pacific<br>
+61 7 3514 8189<br>
<br>
"The most valuable of all talents is that of never using two<br>
words<br>
when<br>
one will do."<br>
Thomas Jefferson<br>
<br>
<br>
<br>
<br>
-- Michael Kang(康上明学)<br>
There is a giant asleep within every man. When the giant<br>
awakens,miracles happen.<br>
<br>
Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion<br>
<br>
<br>
<br></div>
-- Jenny Galipeau <<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a> <mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>>><div class="im"><br>
Principal Software QA Engineer<br>
Red Hat, Inc. Security Engineering<br>
<br>
<br>
<br>
<br>
-- <br>
Michael Kang(康上明学)<br>
There is a giant asleep within every man. When the giant awakens,miracles happen.<br>
<br>
Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion<br>
<br>
<br>
<br>
-- <br></div><div class="im">
Michael Kang(康上明学)<br>
There is a giant asleep within every man. When the giant awakens,miracles happen.<br>
<br>
Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion<br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
</div><div class="im"><a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</div></blockquote>
<br>
<br>
</blockquote></div><br><br clear="all"><br>-- <br>Michael Kang(康上明学)<br>There is a giant asleep within every man. When the giant awakens,miracles happen.<br><br>Personal blog: <a href="http://ufusion.org">http://ufusion.org</a> - United Fusion<br>