This is my krb5kdc.log ...<br><br>Sep 21 00:03:14 <a href="http://ipa.example.com">ipa.example.com</a> krb5kdc[22836](info): AS_REQ (4 etypes {18 17 16 23}) <a href="http://129.104.11.85">129.104.11.85</a>: CLIENT KEY EXPIRED: test@LIX.POLYTECHN<br> <a href="http://IQUE.FR">IQUE.FR</a> for krbtgt/<a href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>, Password has expired<br>Sep 21 00:03:14 <a href="http://ipa.example.com">ipa.example.com</a> krb5kdc[22836](info): AS_REQ (4 etypes {18 17 16 23}) <a href="http://129.104.11.85">129.104.11.85</a>: NEEDED_PREAUTH: <a href="mailto:test@EXAMPLE.COM">test@EXAMPLE.COM</a> for kadmin/<a href="mailto:changepw@EXAMPLE.COM">changepw@EXAMPLE.COM</a>, Additional pre-authentication required<br> Sep 21 00:03:14 <a href="http://ipa.example.com">ipa.example.com</a> krb5kdc[22836](info): AS_REQ (4 etypes {18 17 16 23}) <a href="http://129.104.11.85">129.104.11.85</a>: ISSUE: authtime 1348178594, etypes {rep=18 tkt=18 ses=18}, <a href="mailto:test@EXAMPLE.COM">test@EXAMPLE.COM</a> for kadmin/<a href="mailto:changepw@EXAMPLE.COM">changepw@EXAMPLE.COM</a><br> Sep 21 00:04:59 <a href="http://ipa.example.com">ipa.example.com</a> krb5kdc[22836](info): TGS_REQ (4 etypes {18 17 16 23}) <a href="http://129.104.11.85">129.104.11.85</a>: ISSUE: authtime 1348176661, etypes {rep=18 tkt=18 ses=18}, HTTP/<a href="mailto:ipa.example.com@EXAMPLE.COM">ipa.example.com@EXAMPLE.COM</a> for ldap/<a href="mailto:ipa.example.com@EXAMPLE.COM">ipa.example.com@EXAMPLE.COM</a><br> Sep 21 00:04:59 <a href="http://ipa.example.com">ipa.example.com</a> krb5kdc[22836](info): ... CONSTRAINED-DELEGATION s4u-client=<a href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a><br>Sep 21 00:05:08 <a href="http://ipa.example.com">ipa.example.com</a> krb5kdc[22843](info): TGS_REQ (4 etypes {18 17 16 23}) <a href="http://129.104.11.85">129.104.11.85</a>: ISSUE: authtime 1348176661, etypes {rep=18 tkt=18 ses=18}, HTTP/<a href="mailto:ipa.example.com@EXAMPLE.COM">ipa.example.com@EXAMPLE.COM</a> for ldap/<a href="mailto:ipa.example.com@EXAMPLE.COM">ipa.example.com@EXAMPLE.COM</a><br> <br><br>Thanks<br><br><div class="gmail_quote">2012/9/21 James James <span dir="ltr"><<a href="mailto:jreg2k@gmail.com" target="_blank">jreg2k@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Now, I can read the userPassword field (after the migration process) but I still can't change my password from the ui. I just got : <br><br>kerberos ticket is no longer valid.<div class="HOEnZb"><div class="h5"><br><br> <br><div class="gmail_quote">2012/9/20 James James <span dir="ltr"><<a href="mailto:jreg2k@gmail.com" target="_blank">jreg2k@gmail.com</a>></span><br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It will be fine to have this info in the doc.<div><div><br><br><div class="gmail_quote">2012/9/20 Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span><br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div><div>Dmitri Pal wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On 09/20/2012 01:42 PM, Rob Crittenden wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> James James wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> You 're right. The request return :<br> <br> Enter LDAP Password:<br> # extended LDIF<br> #<br> # LDAPv3<br> # base <cn=users,cn=accounts,dc=<u></u>example,dc=com> with scope subtree<br> # filter: uid=test<br> # requesting: userPassword<br> #<br> <br> # test, users, accounts, <a href="http://example.com" target="_blank">example.com</a> <<a href="http://example.com" target="_blank">http://example.com</a>><br> dn: uid=test,cn=users,cn=accounts,<u></u>dc=example,dc=com<br> <br> # search result<br> search: 2<br> result: 0 Success<br> <br> Can you explain me what happens ?<br> <br> Is there a solution ?<br> </blockquote> <br> When migrating you need to bind as a user that has read permission on<br> the userPassword attribute in the remote LDAP server.<br> </blockquote> <br> Rob should we check if we can read the userPassword attribute and if not<br> fail migration?<br> Should we open a ticket for this?<br> Also I do not think we document the expectation that you vocalized above.<br> </blockquote> <br></div></div> I'll open a ticket to spell this out in the docs.<br> <br> Checking it in the command would be nice but I don't know about fatal. Still, I'll open a ticket for that as well.<span><font color="#888888"><br> <br> rob<br> </font></span></blockquote></div><br> </div></div></blockquote></div><br> </div></div></blockquote></div><br>