[Freeipa-users] Problem with Kerberos Authentication

David O'Brien davido at redhat.com
Thu Sep 24 03:13:12 UTC 2009 

Michael,
did you restart the kdc after you updated the krb5.conf file?

David

Michael Kang wrote:
> According to the FreeIPA Client Configure Guide, I realized I may miss
> something in my client's krb5.conf. It had been created by
> ipa-client-install script. I never edit it. But there are *no* *[realms]* and
> *[domain_realm] *in krb5.conf file.
>
> So I added them, show it below:
>
>   
>> #File modified by ipa-client-install
>>
>> [libdefaults]
>>   default_realm = ARAGON.LOCAL
>>   dns_lookup_realm = true
>>   dns_lookup_kdc = true
>>   ticket_lifetime = 24h
>>   forwardable = yes
>>
>> [realms]
>> ARAGON.LOCAL = {
>>     kdc = ipa.aragon.local:88
>>     admin_server = ipa.aragon.local:749
>>     default_domain = aragon.local
>>     }
>>
>> [domain_realm]
>> .aragon.local = ARAGON.LOCAL
>> aragon.local = ARAGON.LOCAL
>>
>> [appdefaults]
>>   pam = {
>>     debug = false
>>     ticket_lifetime = 36000
>>     renew_lifetime = 36000
>>     forwardable = true
>>     krb4_convert = false
>>   }
>>
>>     
>
> It doesn't work either by using the new krb5.conf.
> *kinit(v5): Password change failed while getting initial credentials*
>
> I'd like to post more detail outputs. Hope it could be helpful.
>
>   
>> [root at freeipa ~]# kinit admin
>> Password for admin at ARAGON.LOCAL:
>> [root at freeipa ~]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: admin at ARAGON.LOCAL
>>
>> Valid starting     Expires            Service principal
>> 09/23/09 22:52:57  09/24/09 22:52:58  krbtgt/ARAGON.LOCAL at ARAGON.LOCAL
>>
>>
>> Kerberos 4 ticket cache: /tmp/tkt0
>> klist: You have no tickets cached
>> [root at freeipa ~]# ipa-finduser admin
>> Full Name: Administrator
>> Home Directory: /home/admin
>> Login Shell: /bin/bash
>> Login: admin
>>
>> [root at freeipa ~]# ipa-finduser haha
>> Full Name: haha haha
>> Home Directory: /home/haha
>> Login Shell: /bin/sh
>> Login: haha
>>
>>     
>
> Regards,
> Michael
>
> On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang <wxiluo at gmail.com>  wrote:
>
>   
>> Here is client's krb5.conf:
>>
>> #File modified by ipa-client-install
>>     
>>> [libdefaults]
>>>   default_realm = ARAGON.LOCAL
>>>   dns_lookup_realm = true
>>>   dns_lookup_kdc = true
>>>   ticket_lifetime = 24h
>>>   forwardable = yes
>>>
>>> [appdefaults]
>>>   pam = {
>>>     debug = false
>>>     ticket_lifetime = 36000
>>>     renew_lifetime = 36000
>>>     forwardable = true
>>>     krb4_convert = false
>>>   }
>>>
>>>       
>> EOF
>>
>>
>> On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau <jgalipea at redhat.com>wrote:
>>
>>     
>>> Michael Kang wrote:
>>>
>>>       
>>>> Dear FreeIPA community,
>>>>
>>>> I did try set the new user's initial password. But it didn't work either.
>>>> I got a protocol error.
>>>>
>>>> Here is the output of console :
>>>>
>>>>    [root at freeipa ~]# kinit admin
>>>>    Password for admin at ARAGON.LOCAL:
>>>>    [root at freeipa ~]# ipa-passwd haha
>>>>    Changing password for haha at ARAGON.LOCAL
>>>>    New Password:
>>>>    Confirm Password:
>>>>    [root at freeipa ~]# kinit haha
>>>>    Password for haha at ARAGON.LOCAL:
>>>>    Password expired. You must change it now.
>>>>    Enter new password:
>>>>    Enter it again:
>>>>    kinit(v5): Requested protocol version not supported while getting
>>>>    initial credentials
>>>>
>>>>
>>>>         
>>> Sounds like, a Kerberos V4 request was sent to the KDC? What's in the
>>> client's krb5.conf?
>>> Jenny
>>>
>>>       
>>>> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau <jgalipea at redhat.com<mailto:
>>>> jgalipea at redhat.com>> wrote:
>>>>
>>>>    Jenny Galipeau wrote:
>>>>
>>>>
>>>>        Michael Kang wrote:
>>>>
>>>>            Dear FreeIPA community,
>>>>
>>>>            I successfully installed FreeIPA this morning. Now I got a
>>>>            problem about Kerberos Authentication. New user cannot
>>>>            modify their password in shell.
>>>>
>>>>        Hi Michael:
>>>>        Did you set the new user's initial password?
>>>>        kinit admin
>>>>        ipa passwd haha
>>>>        Thanks
>>>>        Jenny
>>>>
>>>>    Also kinit as haha, because haha will be asked to change the
>>>>    password on first authentication.
>>>>
>>>>    Thanks
>>>>    Jenny
>>>>
>>>>
>>>>            I added a new user named /haha(group: ipauser)/ based on
>>>>            the webUI. This user is not a existed system user. Then I
>>>>            added a new Delegations(allow people in group ipauser can
>>>>            modify password for group ipauser) .
>>>>
>>>>            /[michael at freeipa Desktop]$ su - haha/
>>>>            /Password: /
>>>>
>>>>            /Warning: Your password will expire in less than one hour./
>>>>            /Warning: password has expired./
>>>>            /Kerberos 5 Password: /
>>>>            /Warning: Your password will expire in less than one hour./
>>>>            /New UNIX password: /
>>>>            /Retype new UNIX password: /
>>>>            /su: incorrect password/
>>>>            /[michael at freeipa Desktop]$ su - root/
>>>>            /Password: /
>>>>            /[root at freeipa ~]# su - haha/
>>>>            /su: warning: cannot change directory to /home/haha: No
>>>>            such file
>>>>            or directory/
>>>>            /-sh-3.2$ /
>>>>
>>>>
>>>>            Root can su - haha successfully. I think that means the
>>>>            Kerberos works, but new user cannot reset their password
>>>>            in their shell.
>>>>
>>>>            What should I do?
>>>>
>>>>            Best Regards,
>>>>            Michael
>>>>
>>>>            --            Michael Kang(康上明学)
>>>>            There is a giant asleep within every man. When the giant
>>>>            awakens,miracles happen.
>>>>
>>>>            Personal blog: http://ufusion.org - United Fusion
>>>>
>>>>  ------------------------------------------------------------------------
>>>>
>>>>            _______________________________________________
>>>>            Freeipa-users mailing list
>>>>            Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>            https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>    --    Jenny Galipeau <jgalipea at redhat.com <mailto:jgalipea at redhat.com
>>>>         
>>>>    Principal Software QA Engineer
>>>>    Red Hat, Inc. Security Engineering
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Michael Kang(康上明学)
>>>> There is a giant asleep within every man. When the giant awakens,miracles
>>>> happen.
>>>>
>>>> Personal blog: http://ufusion.org - United Fusion
>>>>
>>>>         
>>> --
>>> Jenny Galipeau <jgalipea at redhat.com>
>>> Principal Software QA Engineer
>>> Red Hat, Inc. Security Engineering
>>>
>>>
>>>       
>> --
>> Michael Kang(康上明学)
>> There is a giant asleep within every man. When the giant awakens,miracles
>> happen.
>>
>> Personal blog: http://ufusion.org - United Fusion
>>
>>     
>
>
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 

David O'Brien
IPA Content Author
Red Hat Asia Pacific
+61 7 3514 8189

"The most valuable of all talents is that of never using two words when
one will do."
    Thomas Jefferson

More information about the Freeipa-users mailing list