[Freeipa-users] password problem

Rob Crittenden rcritten at redhat.com
Wed Jul 29 14:42:04 UTC 2009 

John Robert Mendoza wrote:
> Hi to all,
> 
> I currently have setup a freeipa server on a virtual machine and have 
> some issues I just want to be cleared with.
> 
> My setup is as follows:
> 
> I have tweaked the /etc/hosts file to register the hostname and ip 
> address of the machine to where I have installed the server.
> 
> Then, I installed the ipa server from yum and have successfully created 
> my realm and directory server.  I have used the -N option to disable the 
> configuration and installation of the NTP server.  I have configured the 
> /etc/ntp.conf to synchronize the time with our own ntp server. 
> 
> After the installation, I configured the browser to enable the webgui.  
> I have successfully done this, and have accessed the administrator page 
> after obtaining the admin ticket.  Now I tried to create a test user.  
> This test user has sufficient required entries for an account to be 
> created. Now that the user is existing, the page issued that the users 
> password has expired.  I know this is a security feature.  I then tried 
> to kinit with the test user, it asked for the password and I, in return, 
> supplied the password from which is identical from the password I 
> supplied during the creation of the test user.  Kinit outputs with an 
> error kinit(v5): Password incorrect while getting initial credentials.
> 
> I looked up for the krb5kdc.log and found these:
> Jul 29 10:40:06 xx.xxx.xxx.xxx krb5kdc[1478](info): AS_REQ (7 etypes {18 
> 17 16 23 1 3 2}) 202.90.157.229: CLIENT KEY EXPIRED: 
> hertz at XXX.XXX.XXX.XXX for krbtgt/XXX.XXX.XXX.XXX at XXX.XXX.XXX.XXX, 
> Password has expired.
> 
> I just X'ed out our realm and the hostname of the machine.
> Isn't it that the password that was supplied during the registration of 
> a user is supposed to be his kerberos password too?

Yes, this password expired message is expected.

Immediately after this message you should see a NEEDED_PREAUTH for 
kadmin/changepw at REALM, basically asking for the current password. Does 
the password work if you do a simple bind to LDAP?

e.g. something like this to search for a login 'tuser'

% ldapsearch -x -D "uid=tuser,cn=users,cn=accounts,dc=example,dc=com" -W 
-b "dc=example,dc=com" uid=tuser

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090729/a6acc5ee/attachment.bin>

More information about the Freeipa-users mailing list