<br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Michael Kang</b> <span dir="ltr"><<a href="mailto:wxiluo@gmail.com">wxiluo@gmail.com</a>></span><br>Date: Fri, Sep 25, 2009 at 4:09 PM<br>
Subject: Re: [Freeipa-users] Problem with Kerberos Authentication<br>To: Jenny Galipeau <<a href="mailto:jgalipea@redhat.com">jgalipea@redhat.com</a>><br><br><br>Dear Jenny Galipeau,<br><br>Thank you and Everyone who helped me with this project. Thanks for being patient and answering my questions :)<br>
<br>My problem was solved by using Fedora 11(upgraded completely). FreeIPA may have bugs with Fedora 9.<br>
<br>If I install Fedora 11(not upgrade),then install ipa-server, the Apache crashed many times per seconds. Here is log ouputs:<br><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">
<i style="font-family: times new roman,serif;">Apache chill pid xxxx exit singal Segmentation fault(11)</i><br></blockquote><br>After upgrade the whole system, this problem disappeared. Also new user can pass the Kerberos Authentication and login system successfully.<br>
<br>If you want to get the details about bugs on Fedora 9, I could send it for you. Please let me know what do you want.<br><br>Thank you again.<br><font color="#888888">Michael</font><div><div></div><div class="h5"><br>
<br><div class="gmail_quote">On Thu, Sep 24, 2009 at 8:41 PM, Jenny Galipeau <span dir="ltr"><<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi Michael:<br>
<br>
Let's rule in or out the delegation you added. Can you remove the delegation and try it? If it works, I think we may have a bug. If it behaves the same, if you could provide more debug info that would be great.<br>
<br>
Thanks<br>
Jenny<br>
<br>
Michael Kang wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div>
Hi David,<br>
<br>
I reboot the system after I edit the configure file.<br>
<br>
Regard,<br>
Michael<br>
<br></div><div><div></div><div>
On Thu, Sep 24, 2009 at 11:13 AM, David O'Brien <<a href="mailto:davido@redhat.com" target="_blank">davido@redhat.com</a> <mailto:<a href="mailto:davido@redhat.com" target="_blank">davido@redhat.com</a>>> wrote:<br>
<br>
Michael,<br>
did you restart the kdc after you updated the krb5.conf file?<br>
<br>
David<br>
<br>
Michael Kang wrote:<br>
<br>
According to the FreeIPA Client Configure Guide, I realized I<br>
may miss<br>
something in my client's krb5.conf. It had been created by<br>
ipa-client-install script. I never edit it. But there are *no*<br>
*[realms]* and<br>
*[domain_realm] *in krb5.conf file.<br>
<br>
So I added them, show it below:<br>
<br>
<br>
#File modified by ipa-client-install<br>
<br>
[libdefaults]<br>
default_realm = ARAGON.LOCAL<br>
dns_lookup_realm = true<br>
dns_lookup_kdc = true<br>
ticket_lifetime = 24h<br>
forwardable = yes<br>
<br>
[realms]<br>
ARAGON.LOCAL = {<br>
kdc = ipa.aragon.local:88<br>
admin_server = ipa.aragon.local:749<br>
default_domain = aragon.local<br>
}<br>
<br>
[domain_realm]<br>
.aragon.local = ARAGON.LOCAL<br>
aragon.local = ARAGON.LOCAL<br>
<br>
[appdefaults]<br>
pam = {<br>
debug = false<br>
ticket_lifetime = 36000<br>
renew_lifetime = 36000<br>
forwardable = true<br>
krb4_convert = false<br>
}<br>
<br>
<br>
<br>
It doesn't work either by using the new krb5.conf.<br>
*kinit(v5): Password change failed while getting initial<br>
credentials*<br>
<br>
I'd like to post more detail outputs. Hope it could be helpful.<br>
<br>
<br>
[root@freeipa ~]# kinit admin<br>
Password for admin@ARAGON.LOCAL:<br>
[root@freeipa ~]# klist<br>
Ticket cache: FILE:/tmp/krb5cc_0<br>
Default principal: admin@ARAGON.LOCAL<br>
<br>
Valid starting Expires Service principal<br>
09/23/09 22:52:57 09/24/09 22:52:58<br>
krbtgt/ARAGON.LOCAL@ARAGON.LOCAL<br>
<br>
<br>
Kerberos 4 ticket cache: /tmp/tkt0<br>
klist: You have no tickets cached<br>
[root@freeipa ~]# ipa-finduser admin<br>
Full Name: Administrator<br>
Home Directory: /home/admin<br>
Login Shell: /bin/bash<br>
Login: admin<br>
<br>
[root@freeipa ~]# ipa-finduser haha<br>
Full Name: haha haha<br>
Home Directory: /home/haha<br>
Login Shell: /bin/sh<br>
Login: haha<br>
<br>
<br>
<br>
Regards,<br>
Michael<br>
<br>
On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang<br></div></div><div>
<<a href="mailto:wxiluo@gmail.com" target="_blank">wxiluo@gmail.com</a> <mailto:<a href="mailto:wxiluo@gmail.com" target="_blank">wxiluo@gmail.com</a>>> wrote:<br>
<br>
<br>
Here is client's krb5.conf:<br>
<br>
#File modified by ipa-client-install<br>
<br>
[libdefaults]<br>
default_realm = ARAGON.LOCAL<br>
dns_lookup_realm = true<br>
dns_lookup_kdc = true<br>
ticket_lifetime = 24h<br>
forwardable = yes<br>
<br>
[appdefaults]<br>
pam = {<br>
debug = false<br>
ticket_lifetime = 36000<br>
renew_lifetime = 36000<br>
forwardable = true<br>
krb4_convert = false<br>
}<br>
<br>
<br>
EOF<br>
<br>
<br>
On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau<br></div>
<<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a> <mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>>>wrote:<div><div></div><div>
<br>
<br>
<br>
Michael Kang wrote:<br>
<br>
<br>
Dear FreeIPA community,<br>
<br>
I did try set the new user's initial password. But<br>
it didn't work either.<br>
I got a protocol error.<br>
<br>
Here is the output of console :<br>
<br>
[root@freeipa ~]# kinit admin<br>
Password for admin@ARAGON.LOCAL:<br>
[root@freeipa ~]# ipa-passwd haha<br>
Changing password for haha@ARAGON.LOCAL<br>
New Password:<br>
Confirm Password:<br>
[root@freeipa ~]# kinit haha<br>
Password for haha@ARAGON.LOCAL:<br>
Password expired. You must change it now.<br>
Enter new password:<br>
Enter it again:<br>
kinit(v5): Requested protocol version not<br>
supported while getting<br>
initial credentials<br>
<br>
<br>
<br>
Sounds like, a Kerberos V4 request was sent to the<br>
KDC? What's in the<br>
client's krb5.conf?<br>
Jenny<br>
<br>
<br>
On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau<br>
<<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a><br></div></div>
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>><mailto:<div><div></div><div><br>
<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a> <mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>>>><br>
wrote:<br>
<br>
Jenny Galipeau wrote:<br>
<br>
<br>
Michael Kang wrote:<br>
<br>
Dear FreeIPA community,<br>
<br>
I successfully installed FreeIPA this morning. Now<br>
I got a<br>
problem about Kerberos Authentication. New user cannot<br>
modify their password in shell.<br>
<br>
Hi Michael:<br>
Did you set the new user's initial password?<br>
kinit admin<br>
ipa passwd haha<br>
Thanks<br>
Jenny<br>
<br>
Also kinit as haha, because haha will be asked to<br>
change the<br>
password on first authentication.<br>
<br>
Thanks<br>
Jenny<br>
<br>
<br>
I added a new user named /haha(group: ipauser)/<br>
based on<br>
the webUI. This user is not a existed system user.<br>
Then I<br>
added a new Delegations(allow people in group<br>
ipauser can<br>
modify password for group ipauser) .<br>
<br>
/[michael@freeipa Desktop]$ su - haha/<br>
/Password: /<br>
<br>
/Warning: Your password will expire in less than<br>
one hour./<br>
/Warning: password has expired./<br>
/Kerberos 5 Password: /<br>
/Warning: Your password will expire in less than<br>
one hour./<br>
/New UNIX password: /<br>
/Retype new UNIX password: /<br>
/su: incorrect password/<br>
/[michael@freeipa Desktop]$ su - root/<br>
/Password: /<br>
/[root@freeipa ~]# su - haha/<br>
/su: warning: cannot change directory to<br>
/home/haha: No<br>
such file<br>
or directory/<br>
/-sh-3.2$ /<br>
<br>
<br>
Root can su - haha successfully. I think that<br>
means the<br>
Kerberos works, but new user cannot reset their<br>
password<br>
in their shell.<br>
<br>
What should I do?<br>
<br>
Best Regards,<br>
Michael<br>
<br>
-- Michael Kang(康上明学)<br>
There is a giant asleep within every man. When the<br>
giant<br>
awakens,miracles happen.<br>
<br>
Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
<br>
<br>
<br>
-- Jenny Galipeau <<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a><br>
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>><br></div></div>
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a><div><br>
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>><br>
Principal Software QA Engineer<br>
Red Hat, Inc. Security Engineering<br>
<br>
<br>
<br>
<br>
--<br>
Michael Kang(康上明学)<br>
There is a giant asleep within every man. When the<br>
giant awakens,miracles<br>
happen.<br>
<br>
Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion<br>
<br>
<br>
--<br>
Jenny Galipeau <<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a><br>
<mailto:<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>>><br>
Principal Software QA Engineer<br>
Red Hat, Inc. Security Engineering<br>
<br>
<br>
<br>
--<br>
Michael Kang(康上明学)<br>
There is a giant asleep within every man. When the giant<br>
awakens,miracles<br>
happen.<br>
<br>
Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion<br>
<br>
<br>
<br>
<br>
<br></div><div>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
<br>
-- <br></div><div>
David O'Brien<br>
IPA Content Author<br>
Red Hat Asia Pacific<br>
+61 7 3514 8189<br>
<br>
"The most valuable of all talents is that of never using two words<br>
when<br>
one will do."<br>
Thomas Jefferson<br>
<br>
<br>
<br>
<br>
-- <br>
Michael Kang(康上明学)<br>
There is a giant asleep within every man. When the giant awakens,miracles happen.<br>
<br>
Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion<br>
</div></blockquote>
<br>
<br>
-- <br><div><div></div><div>
Jenny Galipeau <<a href="mailto:jgalipea@redhat.com" target="_blank">jgalipea@redhat.com</a>><br>
Principal Software QA Engineer<br>
Red Hat, Inc. Security Engineering<br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Michael Kang(康上明学)<br>There is a giant asleep within every man. When the giant awakens,miracles happen.<br><br>Personal blog: <a href="http://ufusion.org" target="_blank">http://ufusion.org</a> - United Fusion<br>
</div></div></div><br><br clear="all"><br>-- <br>Michael Kang(康上明学)<br>There is a giant asleep within every man. When the giant awakens,miracles happen.<br><br>Personal blog: <a href="http://ufusion.org">http://ufusion.org</a> - United Fusion<br>