[Freeipa-users] pam settings for changing password under FreeIPA

Rob Crittenden rcritten at redhat.com
Thu Oct 23 18:52:18 UTC 2008 

Nick Gresham wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> As I mentioned previously, I've been trialling FreeIPA for the
> Bioinformatics Group at Manchester University.
> 
> Generally, things are going well: our primary FreeIPA server is a Fedora
> 9 machine, and we are replicating matters over to a Centos 5.2 box (we
> built and installed the RPMs from the freeipa-1.1.1 release on these).
> 
> Where we are hitting trouble, however, is in devising the correct pam
> and ssh settings to allow users to reset their passwords on client
> machines (which could be their desktops or servers that they access
> remotely over ssh).
> 
> We are even having trouble with the case where the client is a Fedora 9 VM.
> 
> Here we have in /etc/pam.d/system-auth:
> 
> password    requisite     pam_cracklib.so 	try_first_pass retry=3
> password    sufficient    pam_unix.so 		md5 shadow nullok \							
> try_first_pass \ 								use_authtok
> password    sufficient    pam_krb5.so 		use_authtok
> password    required      pam_ldap.so     	try_first_pass use_authtok
> password    required      pam_deny.so
> 
> And in /etc/ssh/sshd:
> 
> PasswordAuthentication no
> ChallengeResponseAuthentication yes
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
> # GSSAPI options
> #GSSAPIAuthentication no
> GSSAPIAuthentication no
> GSSAPICleanupCredentials yes
> UsePAM yes
> 
> Now when a user whose password has been reset on one of the freeipa
> servers attempts to log in, he or she is informed that the password
> expired, and is prompted to change it, the change fails with errors like
> 
> Oct 23 17:47:42 c*******h sshd[20920]: pam_unix(sshd:chauthtok): user
> "m****" does not exist in /etc/passwd
> Oct 23 17:48:14 c*******h sshd[20920]: pam_krb5[20920]: password change
> failed for m****@S***H.MAN.AC.UK: Cannot contact any KDC for requested realm
> Oct 23 17:48:14 c*******h sshd[20918]: error: PAM: Authentication token
> manipulation error for m**** from l***.s***h.man.ac.uk
> 
> on the client, and
> 
> Oct 23 17:47:59 i*******h kpasswd[27429]: Unable to read request: Key
> version number for principal in key table is incorrect
> 
> on the freeipa server.
> 
> In fact the only case where we have this working at present is when the
> client is OpenSuSE-11: that is using pam_krb5-2.2.22-35.2.
> 
> Could anyone suggest some guidelines for arriving at the winning
> combination of settings?
>

So it works on a SuSE client but not others, even now?  You can go to 
non-SuSE and it fails and then go to SuSE and it works?

Is there anything in the KDC error log: /var/log/krb5kdc.log

rob

More information about the Freeipa-users mailing list