[Freeipa-users] Problem with Kerberos Authentication

Michael Kang wxiluo at gmail.com
Thu Sep 24 03:02:57 UTC 2009 

According to the FreeIPA Client Configure Guide, I realized I may miss
something in my client's krb5.conf. It had been created by
ipa-client-install script. I never edit it. But there are *no* *[realms]* and
*[domain_realm] *in krb5.conf file.

So I added them, show it below:

> #File modified by ipa-client-install
>
> [libdefaults]
>   default_realm = ARAGON.LOCAL
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   ticket_lifetime = 24h
>   forwardable = yes
>
> [realms]
> ARAGON.LOCAL = {
>     kdc = ipa.aragon.local:88
>     admin_server = ipa.aragon.local:749
>     default_domain = aragon.local
>     }
>
> [domain_realm]
> .aragon.local = ARAGON.LOCAL
> aragon.local = ARAGON.LOCAL
>
> [appdefaults]
>   pam = {
>     debug = false
>     ticket_lifetime = 36000
>     renew_lifetime = 36000
>     forwardable = true
>     krb4_convert = false
>   }
>

It doesn't work either by using the new krb5.conf.
*kinit(v5): Password change failed while getting initial credentials*

I'd like to post more detail outputs. Hope it could be helpful.

> [root at freeipa ~]# kinit admin
> Password for admin at ARAGON.LOCAL:
> [root at freeipa ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at ARAGON.LOCAL
>
> Valid starting     Expires            Service principal
> 09/23/09 22:52:57  09/24/09 22:52:58  krbtgt/ARAGON.LOCAL at ARAGON.LOCAL
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> [root at freeipa ~]# ipa-finduser admin
> Full Name: Administrator
> Home Directory: /home/admin
> Login Shell: /bin/bash
> Login: admin
>
> [root at freeipa ~]# ipa-finduser haha
> Full Name: haha haha
> Home Directory: /home/haha
> Login Shell: /bin/sh
> Login: haha
>

Regards,
Michael

On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang <wxiluo at gmail.com>  wrote:

> Here is client's krb5.conf:
>
> #File modified by ipa-client-install
>>
>> [libdefaults]
>>   default_realm = ARAGON.LOCAL
>>   dns_lookup_realm = true
>>   dns_lookup_kdc = true
>>   ticket_lifetime = 24h
>>   forwardable = yes
>>
>> [appdefaults]
>>   pam = {
>>     debug = false
>>     ticket_lifetime = 36000
>>     renew_lifetime = 36000
>>     forwardable = true
>>     krb4_convert = false
>>   }
>>
>
> EOF
>
>
> On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau <jgalipea at redhat.com>wrote:
>
>> Michael Kang wrote:
>>
>>> Dear FreeIPA community,
>>>
>>> I did try set the new user's initial password. But it didn't work either.
>>> I got a protocol error.
>>>
>>> Here is the output of console :
>>>
>>>    [root at freeipa ~]# kinit admin
>>>    Password for admin at ARAGON.LOCAL:
>>>    [root at freeipa ~]# ipa-passwd haha
>>>    Changing password for haha at ARAGON.LOCAL
>>>    New Password:
>>>    Confirm Password:
>>>    [root at freeipa ~]# kinit haha
>>>    Password for haha at ARAGON.LOCAL:
>>>    Password expired. You must change it now.
>>>    Enter new password:
>>>    Enter it again:
>>>    kinit(v5): Requested protocol version not supported while getting
>>>    initial credentials
>>>
>>>
>> Sounds like, a Kerberos V4 request was sent to the KDC? What's in the
>> client's krb5.conf?
>> Jenny
>>
>>>
>>>
>>> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau <jgalipea at redhat.com<mailto:
>>> jgalipea at redhat.com>> wrote:
>>>
>>>    Jenny Galipeau wrote:
>>>
>>>
>>>        Michael Kang wrote:
>>>
>>>            Dear FreeIPA community,
>>>
>>>            I successfully installed FreeIPA this morning. Now I got a
>>>            problem about Kerberos Authentication. New user cannot
>>>            modify their password in shell.
>>>
>>>        Hi Michael:
>>>        Did you set the new user's initial password?
>>>        kinit admin
>>>        ipa passwd haha
>>>        Thanks
>>>        Jenny
>>>
>>>    Also kinit as haha, because haha will be asked to change the
>>>    password on first authentication.
>>>
>>>    Thanks
>>>    Jenny
>>>
>>>
>>>            I added a new user named /haha(group: ipauser)/ based on
>>>            the webUI. This user is not a existed system user. Then I
>>>            added a new Delegations(allow people in group ipauser can
>>>            modify password for group ipauser) .
>>>
>>>            /[michael at freeipa Desktop]$ su - haha/
>>>            /Password: /
>>>
>>>            /Warning: Your password will expire in less than one hour./
>>>            /Warning: password has expired./
>>>            /Kerberos 5 Password: /
>>>            /Warning: Your password will expire in less than one hour./
>>>            /New UNIX password: /
>>>            /Retype new UNIX password: /
>>>            /su: incorrect password/
>>>            /[michael at freeipa Desktop]$ su - root/
>>>            /Password: /
>>>            /[root at freeipa ~]# su - haha/
>>>            /su: warning: cannot change directory to /home/haha: No
>>>            such file
>>>            or directory/
>>>            /-sh-3.2$ /
>>>
>>>
>>>            Root can su - haha successfully. I think that means the
>>>            Kerberos works, but new user cannot reset their password
>>>            in their shell.
>>>
>>>            What should I do?
>>>
>>>            Best Regards,
>>>            Michael
>>>
>>>            --            Michael Kang(康上明学)
>>>            There is a giant asleep within every man. When the giant
>>>            awakens,miracles happen.
>>>
>>>            Personal blog: http://ufusion.org - United Fusion
>>>
>>>  ------------------------------------------------------------------------
>>>
>>>            _______________________________________________
>>>            Freeipa-users mailing list
>>>            Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>            https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>>
>>>
>>>    --    Jenny Galipeau <jgalipea at redhat.com <mailto:jgalipea at redhat.com
>>> >>
>>>    Principal Software QA Engineer
>>>    Red Hat, Inc. Security Engineering
>>>
>>>
>>>
>>>
>>> --
>>> Michael Kang(康上明学)
>>> There is a giant asleep within every man. When the giant awakens,miracles
>>> happen.
>>>
>>> Personal blog: http://ufusion.org - United Fusion
>>>
>>
>>
>> --
>> Jenny Galipeau <jgalipea at redhat.com>
>> Principal Software QA Engineer
>> Red Hat, Inc. Security Engineering
>>
>>
>
>
> --
> Michael Kang(康上明学)
> There is a giant asleep within every man. When the giant awakens,miracles
> happen.
>
> Personal blog: http://ufusion.org - United Fusion
>



-- 
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles
happen.

Personal blog: http://ufusion.org - United Fusion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090924/821e6194/attachment.htm>

More information about the Freeipa-users mailing list