[Freeipa-users] password problem
Rob Crittenden
rcritten at redhat.com
Wed Jul 29 14:42:04 UTC 2009
John Robert Mendoza wrote:
> Hi to all,
>
> I currently have setup a freeipa server on a virtual machine and have
> some issues I just want to be cleared with.
>
> My setup is as follows:
>
> I have tweaked the /etc/hosts file to register the hostname and ip
> address of the machine to where I have installed the server.
>
> Then, I installed the ipa server from yum and have successfully created
> my realm and directory server. I have used the -N option to disable the
> configuration and installation of the NTP server. I have configured the
> /etc/ntp.conf to synchronize the time with our own ntp server.
>
> After the installation, I configured the browser to enable the webgui.
> I have successfully done this, and have accessed the administrator page
> after obtaining the admin ticket. Now I tried to create a test user.
> This test user has sufficient required entries for an account to be
> created. Now that the user is existing, the page issued that the users
> password has expired. I know this is a security feature. I then tried
> to kinit with the test user, it asked for the password and I, in return,
> supplied the password from which is identical from the password I
> supplied during the creation of the test user. Kinit outputs with an
> error kinit(v5): Password incorrect while getting initial credentials.
>
> I looked up for the krb5kdc.log and found these:
> Jul 29 10:40:06 xx.xxx.xxx.xxx krb5kdc[1478](info): AS_REQ (7 etypes {18
> 17 16 23 1 3 2}) 202.90.157.229: CLIENT KEY EXPIRED:
> hertz at XXX.XXX.XXX.XXX for krbtgt/XXX.XXX.XXX.XXX at XXX.XXX.XXX.XXX,
> Password has expired.
>
> I just X'ed out our realm and the hostname of the machine.
> Isn't it that the password that was supplied during the registration of
> a user is supposed to be his kerberos password too?
Yes, this password expired message is expected.
Immediately after this message you should see a NEEDED_PREAUTH for
kadmin/changepw at REALM, basically asking for the current password. Does
the password work if you do a simple bind to LDAP?
e.g. something like this to search for a login 'tuser'
% ldapsearch -x -D "uid=tuser,cn=users,cn=accounts,dc=example,dc=com" -W
-b "dc=example,dc=com" uid=tuser
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090729/a6acc5ee/attachment.bin>
More information about the Freeipa-users
mailing list