[Freeipa-users] Problem with Kerberos Authentication
David O'Brien
davido at redhat.com
Thu Sep 24 03:13:12 UTC 2009
Michael,
did you restart the kdc after you updated the krb5.conf file?
David
Michael Kang wrote:
> According to the FreeIPA Client Configure Guide, I realized I may miss
> something in my client's krb5.conf. It had been created by
> ipa-client-install script. I never edit it. But there are *no* *[realms]* and
> *[domain_realm] *in krb5.conf file.
>
> So I added them, show it below:
>
>
>> #File modified by ipa-client-install
>>
>> [libdefaults]
>> default_realm = ARAGON.LOCAL
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> [realms]
>> ARAGON.LOCAL = {
>> kdc = ipa.aragon.local:88
>> admin_server = ipa.aragon.local:749
>> default_domain = aragon.local
>> }
>>
>> [domain_realm]
>> .aragon.local = ARAGON.LOCAL
>> aragon.local = ARAGON.LOCAL
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>>
>
> It doesn't work either by using the new krb5.conf.
> *kinit(v5): Password change failed while getting initial credentials*
>
> I'd like to post more detail outputs. Hope it could be helpful.
>
>
>> [root at freeipa ~]# kinit admin
>> Password for admin at ARAGON.LOCAL:
>> [root at freeipa ~]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: admin at ARAGON.LOCAL
>>
>> Valid starting Expires Service principal
>> 09/23/09 22:52:57 09/24/09 22:52:58 krbtgt/ARAGON.LOCAL at ARAGON.LOCAL
>>
>>
>> Kerberos 4 ticket cache: /tmp/tkt0
>> klist: You have no tickets cached
>> [root at freeipa ~]# ipa-finduser admin
>> Full Name: Administrator
>> Home Directory: /home/admin
>> Login Shell: /bin/bash
>> Login: admin
>>
>> [root at freeipa ~]# ipa-finduser haha
>> Full Name: haha haha
>> Home Directory: /home/haha
>> Login Shell: /bin/sh
>> Login: haha
>>
>>
>
> Regards,
> Michael
>
> On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang <wxiluo at gmail.com> wrote:
>
>
>> Here is client's krb5.conf:
>>
>> #File modified by ipa-client-install
>>
>>> [libdefaults]
>>> default_realm = ARAGON.LOCAL
>>> dns_lookup_realm = true
>>> dns_lookup_kdc = true
>>> ticket_lifetime = 24h
>>> forwardable = yes
>>>
>>> [appdefaults]
>>> pam = {
>>> debug = false
>>> ticket_lifetime = 36000
>>> renew_lifetime = 36000
>>> forwardable = true
>>> krb4_convert = false
>>> }
>>>
>>>
>> EOF
>>
>>
>> On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau <jgalipea at redhat.com>wrote:
>>
>>
>>> Michael Kang wrote:
>>>
>>>
>>>> Dear FreeIPA community,
>>>>
>>>> I did try set the new user's initial password. But it didn't work either.
>>>> I got a protocol error.
>>>>
>>>> Here is the output of console :
>>>>
>>>> [root at freeipa ~]# kinit admin
>>>> Password for admin at ARAGON.LOCAL:
>>>> [root at freeipa ~]# ipa-passwd haha
>>>> Changing password for haha at ARAGON.LOCAL
>>>> New Password:
>>>> Confirm Password:
>>>> [root at freeipa ~]# kinit haha
>>>> Password for haha at ARAGON.LOCAL:
>>>> Password expired. You must change it now.
>>>> Enter new password:
>>>> Enter it again:
>>>> kinit(v5): Requested protocol version not supported while getting
>>>> initial credentials
>>>>
>>>>
>>>>
>>> Sounds like, a Kerberos V4 request was sent to the KDC? What's in the
>>> client's krb5.conf?
>>> Jenny
>>>
>>>
>>>> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau <jgalipea at redhat.com<mailto:
>>>> jgalipea at redhat.com>> wrote:
>>>>
>>>> Jenny Galipeau wrote:
>>>>
>>>>
>>>> Michael Kang wrote:
>>>>
>>>> Dear FreeIPA community,
>>>>
>>>> I successfully installed FreeIPA this morning. Now I got a
>>>> problem about Kerberos Authentication. New user cannot
>>>> modify their password in shell.
>>>>
>>>> Hi Michael:
>>>> Did you set the new user's initial password?
>>>> kinit admin
>>>> ipa passwd haha
>>>> Thanks
>>>> Jenny
>>>>
>>>> Also kinit as haha, because haha will be asked to change the
>>>> password on first authentication.
>>>>
>>>> Thanks
>>>> Jenny
>>>>
>>>>
>>>> I added a new user named /haha(group: ipauser)/ based on
>>>> the webUI. This user is not a existed system user. Then I
>>>> added a new Delegations(allow people in group ipauser can
>>>> modify password for group ipauser) .
>>>>
>>>> /[michael at freeipa Desktop]$ su - haha/
>>>> /Password: /
>>>>
>>>> /Warning: Your password will expire in less than one hour./
>>>> /Warning: password has expired./
>>>> /Kerberos 5 Password: /
>>>> /Warning: Your password will expire in less than one hour./
>>>> /New UNIX password: /
>>>> /Retype new UNIX password: /
>>>> /su: incorrect password/
>>>> /[michael at freeipa Desktop]$ su - root/
>>>> /Password: /
>>>> /[root at freeipa ~]# su - haha/
>>>> /su: warning: cannot change directory to /home/haha: No
>>>> such file
>>>> or directory/
>>>> /-sh-3.2$ /
>>>>
>>>>
>>>> Root can su - haha successfully. I think that means the
>>>> Kerberos works, but new user cannot reset their password
>>>> in their shell.
>>>>
>>>> What should I do?
>>>>
>>>> Best Regards,
>>>> Michael
>>>>
>>>> -- Michael Kang(康上明学)
>>>> There is a giant asleep within every man. When the giant
>>>> awakens,miracles happen.
>>>>
>>>> Personal blog: http://ufusion.org - United Fusion
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -- Jenny Galipeau <jgalipea at redhat.com <mailto:jgalipea at redhat.com
>>>>
>>>> Principal Software QA Engineer
>>>> Red Hat, Inc. Security Engineering
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Michael Kang(康上明学)
>>>> There is a giant asleep within every man. When the giant awakens,miracles
>>>> happen.
>>>>
>>>> Personal blog: http://ufusion.org - United Fusion
>>>>
>>>>
>>> --
>>> Jenny Galipeau <jgalipea at redhat.com>
>>> Principal Software QA Engineer
>>> Red Hat, Inc. Security Engineering
>>>
>>>
>>>
>> --
>> Michael Kang(康上明学)
>> There is a giant asleep within every man. When the giant awakens,miracles
>> happen.
>>
>> Personal blog: http://ufusion.org - United Fusion
>>
>>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
David O'Brien
IPA Content Author
Red Hat Asia Pacific
+61 7 3514 8189
"The most valuable of all talents is that of never using two words when
one will do."
Thomas Jefferson
More information about the Freeipa-users
mailing list