[Freeipa-users] pam settings for changing password under FreeIPA
Rob Crittenden
rcritten at redhat.com
Thu Oct 23 18:52:18 UTC 2008
Nick Gresham wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> As I mentioned previously, I've been trialling FreeIPA for the
> Bioinformatics Group at Manchester University.
>
> Generally, things are going well: our primary FreeIPA server is a Fedora
> 9 machine, and we are replicating matters over to a Centos 5.2 box (we
> built and installed the RPMs from the freeipa-1.1.1 release on these).
>
> Where we are hitting trouble, however, is in devising the correct pam
> and ssh settings to allow users to reset their passwords on client
> machines (which could be their desktops or servers that they access
> remotely over ssh).
>
> We are even having trouble with the case where the client is a Fedora 9 VM.
>
> Here we have in /etc/pam.d/system-auth:
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok \
> try_first_pass \ use_authtok
> password sufficient pam_krb5.so use_authtok
> password required pam_ldap.so try_first_pass use_authtok
> password required pam_deny.so
>
> And in /etc/ssh/sshd:
>
> PasswordAuthentication no
> ChallengeResponseAuthentication yes
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
> # GSSAPI options
> #GSSAPIAuthentication no
> GSSAPIAuthentication no
> GSSAPICleanupCredentials yes
> UsePAM yes
>
> Now when a user whose password has been reset on one of the freeipa
> servers attempts to log in, he or she is informed that the password
> expired, and is prompted to change it, the change fails with errors like
>
> Oct 23 17:47:42 c*******h sshd[20920]: pam_unix(sshd:chauthtok): user
> "m****" does not exist in /etc/passwd
> Oct 23 17:48:14 c*******h sshd[20920]: pam_krb5[20920]: password change
> failed for m****@S***H.MAN.AC.UK: Cannot contact any KDC for requested realm
> Oct 23 17:48:14 c*******h sshd[20918]: error: PAM: Authentication token
> manipulation error for m**** from l***.s***h.man.ac.uk
>
> on the client, and
>
> Oct 23 17:47:59 i*******h kpasswd[27429]: Unable to read request: Key
> version number for principal in key table is incorrect
>
> on the freeipa server.
>
> In fact the only case where we have this working at present is when the
> client is OpenSuSE-11: that is using pam_krb5-2.2.22-35.2.
>
> Could anyone suggest some guidelines for arriving at the winning
> combination of settings?
>
So it works on a SuSE client but not others, even now? You can go to
non-SuSE and it fails and then go to SuSE and it works?
Is there anything in the KDC error log: /var/log/krb5kdc.log
rob
More information about the Freeipa-users
mailing list