[Freeipa-users] pam settings for changing password under FreeIPA
Nick Gresham
n.gresham at manchester.ac.uk
Fri Oct 24 11:38:07 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>
> So it works on a SuSE client but not others, even now? You can go to
> non-SuSE and it fails and then go to SuSE and it works?
>
that's right: at present the password changing procedure only works with
an OpenSuSE client: e.g.
Password:
Warning: password has expired.
New Password:
Reenter New Password:
LDAP password information changed for m*****
Last login: Wed Oct 22 14:03:04 2008 from l***.s****.man.ac.uk
Have a lot of fun...
The OpenSuSE settings in /etc/pam.d/common-password are as follows:
password requisite pam_pwcheck.so cracklib
password sufficient pam_unix2.so use_authtok
password sufficient pam_krb5.so
password required pam_ldap.so try_first_pass \ use_authtok
but trasplanting these to the Fedora 9 machine referred to above results in
Password:
Warning: password has expired.
Password:
etc...
> Is there anything in the KDC error log: /var/log/krb5kdc.log
>
> rob
the server-side logs look OK, e.g.
10.******: NEEDED_PREAUTH: m****@S****.MAN.AC.UK for
kadmin/changepw at SMITH.MAN.AC.UK, Additional pre-authentication required
Oct 24 12:26:02 i*******.s****.man.ac.uk krb5kdc[18404](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.**.**.67: NEEDED_PREAUTH:
m*****@SMITH.MAN.AC.UK for kadmin/changepw at SMITH.MAN.AC.UK, Additional
pre-authentication required
Oct 24 12:26:53 i**********.s****.man.ac.uk krb5kdc[18404](info): AS_REQ
(12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.*.*.249: CLIENT KEY
EXPIRED: m*****@SMITH.MAN.AC.UK for
krbtgt/SMITH.MAN.AC.UK at SMITH.MAN.AC.UK, Password has expired
Oct 24 12:26:53 i**********.s****.man.ac.uk krb5kdc[18404](info): AS_REQ
(12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.*.*.249: CLIENT KEY
EXPIRED: m*****@SMITH.MAN.AC.UK for
krbtgt/SMITH.MAN.AC.UK at SMITH.MAN.AC.UK, Password has expired
Oct 24 12:26:53 i**********.s****.man.ac.uk krb5kdc[18404](info): AS_REQ
(12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.*.*.249:
NEEDED_PREAUTH: m*****@SMITH.MAN.AC.UK for
kadmin/changepw at SMITH.MAN.AC.UK, Additional pre-authentication required
Oct 24 12:26:53 i**********.s****.man.ac.uk krb5kdc[18404](info): AS_REQ
(12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.*.*.249:
NEEDED_PREAUTH: m*****@SMITH.MAN.AC.UK for
kadmin/changepw at SMITH.MAN.AC.UK, Additional pre-authentication required
Oct 24 12:26:53 i**********.s****.man.ac.uk krb5kdc[18404](info): AS_REQ
(12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.*.*.249: ISSUE:
authtime 1224847613, etypes {rep=18 tkt=18 ses=18},
m*****@SMITH.MAN.AC.UK for kadmin/changepw at SMITH.MAN.AC.UK
Oct 24 12:26:53 i**********.s****.man.ac.uk krb5kdc[18404](info): AS_REQ
(12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.*.*.249: ISSUE:
authtime 1224847613, etypes {rep=18 tkt=18 ses=18},
m*****@s****.man.ac.uk for kadmin/changepw at s****.man.ac.uk
I believe its is a question of juggling the different sshd/pam settings
for different distros with their respective versions of pam_krb5
Does anyone have some working settings for Fedora or RHEL5 that they
could post?
Regards
[NG]
N.J. Gresham
FLS/IS AIO
Systems Administration and Support
University of Manchester
Faculty of Life Sciences
int: 7759349
ext: 0790-989-3684
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkBs58ACgkQoqZzfMI0UdnJAQCfcbQPNlPOtOX0C0VyvaqcCAZK
UawAn00rLWoyI19DqXS6NeVn5TYlma2n
=0UB9
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list