[Freeipa-users] Problem with Kerberos Authentication
Michael Kang
wxiluo at gmail.com
Thu Sep 24 03:02:57 UTC 2009
According to the FreeIPA Client Configure Guide, I realized I may miss
something in my client's krb5.conf. It had been created by
ipa-client-install script. I never edit it. But there are *no* *[realms]* and
*[domain_realm] *in krb5.conf file.
So I added them, show it below:
> #File modified by ipa-client-install
>
> [libdefaults]
> default_realm = ARAGON.LOCAL
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> ARAGON.LOCAL = {
> kdc = ipa.aragon.local:88
> admin_server = ipa.aragon.local:749
> default_domain = aragon.local
> }
>
> [domain_realm]
> .aragon.local = ARAGON.LOCAL
> aragon.local = ARAGON.LOCAL
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
It doesn't work either by using the new krb5.conf.
*kinit(v5): Password change failed while getting initial credentials*
I'd like to post more detail outputs. Hope it could be helpful.
> [root at freeipa ~]# kinit admin
> Password for admin at ARAGON.LOCAL:
> [root at freeipa ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at ARAGON.LOCAL
>
> Valid starting Expires Service principal
> 09/23/09 22:52:57 09/24/09 22:52:58 krbtgt/ARAGON.LOCAL at ARAGON.LOCAL
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> [root at freeipa ~]# ipa-finduser admin
> Full Name: Administrator
> Home Directory: /home/admin
> Login Shell: /bin/bash
> Login: admin
>
> [root at freeipa ~]# ipa-finduser haha
> Full Name: haha haha
> Home Directory: /home/haha
> Login Shell: /bin/sh
> Login: haha
>
Regards,
Michael
On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang <wxiluo at gmail.com> wrote:
> Here is client's krb5.conf:
>
> #File modified by ipa-client-install
>>
>> [libdefaults]
>> default_realm = ARAGON.LOCAL
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>
> EOF
>
>
> On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau <jgalipea at redhat.com>wrote:
>
>> Michael Kang wrote:
>>
>>> Dear FreeIPA community,
>>>
>>> I did try set the new user's initial password. But it didn't work either.
>>> I got a protocol error.
>>>
>>> Here is the output of console :
>>>
>>> [root at freeipa ~]# kinit admin
>>> Password for admin at ARAGON.LOCAL:
>>> [root at freeipa ~]# ipa-passwd haha
>>> Changing password for haha at ARAGON.LOCAL
>>> New Password:
>>> Confirm Password:
>>> [root at freeipa ~]# kinit haha
>>> Password for haha at ARAGON.LOCAL:
>>> Password expired. You must change it now.
>>> Enter new password:
>>> Enter it again:
>>> kinit(v5): Requested protocol version not supported while getting
>>> initial credentials
>>>
>>>
>> Sounds like, a Kerberos V4 request was sent to the KDC? What's in the
>> client's krb5.conf?
>> Jenny
>>
>>>
>>>
>>> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau <jgalipea at redhat.com<mailto:
>>> jgalipea at redhat.com>> wrote:
>>>
>>> Jenny Galipeau wrote:
>>>
>>>
>>> Michael Kang wrote:
>>>
>>> Dear FreeIPA community,
>>>
>>> I successfully installed FreeIPA this morning. Now I got a
>>> problem about Kerberos Authentication. New user cannot
>>> modify their password in shell.
>>>
>>> Hi Michael:
>>> Did you set the new user's initial password?
>>> kinit admin
>>> ipa passwd haha
>>> Thanks
>>> Jenny
>>>
>>> Also kinit as haha, because haha will be asked to change the
>>> password on first authentication.
>>>
>>> Thanks
>>> Jenny
>>>
>>>
>>> I added a new user named /haha(group: ipauser)/ based on
>>> the webUI. This user is not a existed system user. Then I
>>> added a new Delegations(allow people in group ipauser can
>>> modify password for group ipauser) .
>>>
>>> /[michael at freeipa Desktop]$ su - haha/
>>> /Password: /
>>>
>>> /Warning: Your password will expire in less than one hour./
>>> /Warning: password has expired./
>>> /Kerberos 5 Password: /
>>> /Warning: Your password will expire in less than one hour./
>>> /New UNIX password: /
>>> /Retype new UNIX password: /
>>> /su: incorrect password/
>>> /[michael at freeipa Desktop]$ su - root/
>>> /Password: /
>>> /[root at freeipa ~]# su - haha/
>>> /su: warning: cannot change directory to /home/haha: No
>>> such file
>>> or directory/
>>> /-sh-3.2$ /
>>>
>>>
>>> Root can su - haha successfully. I think that means the
>>> Kerberos works, but new user cannot reset their password
>>> in their shell.
>>>
>>> What should I do?
>>>
>>> Best Regards,
>>> Michael
>>>
>>> -- Michael Kang(康上明学)
>>> There is a giant asleep within every man. When the giant
>>> awakens,miracles happen.
>>>
>>> Personal blog: http://ufusion.org - United Fusion
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>>
>>>
>>> -- Jenny Galipeau <jgalipea at redhat.com <mailto:jgalipea at redhat.com
>>> >>
>>> Principal Software QA Engineer
>>> Red Hat, Inc. Security Engineering
>>>
>>>
>>>
>>>
>>> --
>>> Michael Kang(康上明学)
>>> There is a giant asleep within every man. When the giant awakens,miracles
>>> happen.
>>>
>>> Personal blog: http://ufusion.org - United Fusion
>>>
>>
>>
>> --
>> Jenny Galipeau <jgalipea at redhat.com>
>> Principal Software QA Engineer
>> Red Hat, Inc. Security Engineering
>>
>>
>
>
> --
> Michael Kang(康上明学)
> There is a giant asleep within every man. When the giant awakens,miracles
> happen.
>
> Personal blog: http://ufusion.org - United Fusion
>
--
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles
happen.
Personal blog: http://ufusion.org - United Fusion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090924/821e6194/attachment.htm>
More information about the Freeipa-users
mailing list