[Freeipa-users] Problem with Kerberos Authentication
Michael Kang
wxiluo at gmail.com
Thu Sep 24 03:18:08 UTC 2009
Hi David,
I reboot the system after I edit the configure file.
Regard,
Michael
On Thu, Sep 24, 2009 at 11:13 AM, David O'Brien <davido at redhat.com> wrote:
> Michael,
> did you restart the kdc after you updated the krb5.conf file?
>
> David
>
> Michael Kang wrote:
>
>> According to the FreeIPA Client Configure Guide, I realized I may miss
>> something in my client's krb5.conf. It had been created by
>> ipa-client-install script. I never edit it. But there are *no* *[realms]*
>> and
>> *[domain_realm] *in krb5.conf file.
>>
>> So I added them, show it below:
>>
>>
>>
>>> #File modified by ipa-client-install
>>>
>>> [libdefaults]
>>> default_realm = ARAGON.LOCAL
>>> dns_lookup_realm = true
>>> dns_lookup_kdc = true
>>> ticket_lifetime = 24h
>>> forwardable = yes
>>>
>>> [realms]
>>> ARAGON.LOCAL = {
>>> kdc = ipa.aragon.local:88
>>> admin_server = ipa.aragon.local:749
>>> default_domain = aragon.local
>>> }
>>>
>>> [domain_realm]
>>> .aragon.local = ARAGON.LOCAL
>>> aragon.local = ARAGON.LOCAL
>>>
>>> [appdefaults]
>>> pam = {
>>> debug = false
>>> ticket_lifetime = 36000
>>> renew_lifetime = 36000
>>> forwardable = true
>>> krb4_convert = false
>>> }
>>>
>>>
>>>
>>
>> It doesn't work either by using the new krb5.conf.
>> *kinit(v5): Password change failed while getting initial credentials*
>>
>> I'd like to post more detail outputs. Hope it could be helpful.
>>
>>
>>
>>> [root at freeipa ~]# kinit admin
>>> Password for admin at ARAGON.LOCAL:
>>> [root at freeipa ~]# klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: admin at ARAGON.LOCAL
>>>
>>> Valid starting Expires Service principal
>>> 09/23/09 22:52:57 09/24/09 22:52:58 krbtgt/ARAGON.LOCAL at ARAGON.LOCAL
>>>
>>>
>>> Kerberos 4 ticket cache: /tmp/tkt0
>>> klist: You have no tickets cached
>>> [root at freeipa ~]# ipa-finduser admin
>>> Full Name: Administrator
>>> Home Directory: /home/admin
>>> Login Shell: /bin/bash
>>> Login: admin
>>>
>>> [root at freeipa ~]# ipa-finduser haha
>>> Full Name: haha haha
>>> Home Directory: /home/haha
>>> Login Shell: /bin/sh
>>> Login: haha
>>>
>>>
>>>
>>
>> Regards,
>> Michael
>>
>> On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang <wxiluo at gmail.com> wrote:
>>
>>
>>
>>> Here is client's krb5.conf:
>>>
>>> #File modified by ipa-client-install
>>>
>>>
>>>> [libdefaults]
>>>> default_realm = ARAGON.LOCAL
>>>> dns_lookup_realm = true
>>>> dns_lookup_kdc = true
>>>> ticket_lifetime = 24h
>>>> forwardable = yes
>>>>
>>>> [appdefaults]
>>>> pam = {
>>>> debug = false
>>>> ticket_lifetime = 36000
>>>> renew_lifetime = 36000
>>>> forwardable = true
>>>> krb4_convert = false
>>>> }
>>>>
>>>>
>>>>
>>> EOF
>>>
>>>
>>> On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau <jgalipea at redhat.com
>>> >wrote:
>>>
>>>
>>>
>>>> Michael Kang wrote:
>>>>
>>>>
>>>>
>>>>> Dear FreeIPA community,
>>>>>
>>>>> I did try set the new user's initial password. But it didn't work
>>>>> either.
>>>>> I got a protocol error.
>>>>>
>>>>> Here is the output of console :
>>>>>
>>>>> [root at freeipa ~]# kinit admin
>>>>> Password for admin at ARAGON.LOCAL:
>>>>> [root at freeipa ~]# ipa-passwd haha
>>>>> Changing password for haha at ARAGON.LOCAL
>>>>> New Password:
>>>>> Confirm Password:
>>>>> [root at freeipa ~]# kinit haha
>>>>> Password for haha at ARAGON.LOCAL:
>>>>> Password expired. You must change it now.
>>>>> Enter new password:
>>>>> Enter it again:
>>>>> kinit(v5): Requested protocol version not supported while getting
>>>>> initial credentials
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Sounds like, a Kerberos V4 request was sent to the KDC? What's in the
>>>> client's krb5.conf?
>>>> Jenny
>>>>
>>>>
>>>>
>>>>> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau <jgalipea at redhat.com
>>>>> <mailto:
>>>>> jgalipea at redhat.com>> wrote:
>>>>>
>>>>> Jenny Galipeau wrote:
>>>>>
>>>>>
>>>>> Michael Kang wrote:
>>>>>
>>>>> Dear FreeIPA community,
>>>>>
>>>>> I successfully installed FreeIPA this morning. Now I got a
>>>>> problem about Kerberos Authentication. New user cannot
>>>>> modify their password in shell.
>>>>>
>>>>> Hi Michael:
>>>>> Did you set the new user's initial password?
>>>>> kinit admin
>>>>> ipa passwd haha
>>>>> Thanks
>>>>> Jenny
>>>>>
>>>>> Also kinit as haha, because haha will be asked to change the
>>>>> password on first authentication.
>>>>>
>>>>> Thanks
>>>>> Jenny
>>>>>
>>>>>
>>>>> I added a new user named /haha(group: ipauser)/ based on
>>>>> the webUI. This user is not a existed system user. Then I
>>>>> added a new Delegations(allow people in group ipauser can
>>>>> modify password for group ipauser) .
>>>>>
>>>>> /[michael at freeipa Desktop]$ su - haha/
>>>>> /Password: /
>>>>>
>>>>> /Warning: Your password will expire in less than one hour./
>>>>> /Warning: password has expired./
>>>>> /Kerberos 5 Password: /
>>>>> /Warning: Your password will expire in less than one hour./
>>>>> /New UNIX password: /
>>>>> /Retype new UNIX password: /
>>>>> /su: incorrect password/
>>>>> /[michael at freeipa Desktop]$ su - root/
>>>>> /Password: /
>>>>> /[root at freeipa ~]# su - haha/
>>>>> /su: warning: cannot change directory to /home/haha: No
>>>>> such file
>>>>> or directory/
>>>>> /-sh-3.2$ /
>>>>>
>>>>>
>>>>> Root can su - haha successfully. I think that means the
>>>>> Kerberos works, but new user cannot reset their password
>>>>> in their shell.
>>>>>
>>>>> What should I do?
>>>>>
>>>>> Best Regards,
>>>>> Michael
>>>>>
>>>>> -- Michael Kang(康上明学)
>>>>> There is a giant asleep within every man. When the giant
>>>>> awakens,miracles happen.
>>>>>
>>>>> Personal blog: http://ufusion.org - United Fusion
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -- Jenny Galipeau <jgalipea at redhat.com <mailto:
>>>>> jgalipea at redhat.com
>>>>> Principal Software QA Engineer
>>>>> Red Hat, Inc. Security Engineering
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Michael Kang(康上明学)
>>>>> There is a giant asleep within every man. When the giant
>>>>> awakens,miracles
>>>>> happen.
>>>>>
>>>>> Personal blog: http://ufusion.org - United Fusion
>>>>>
>>>>>
>>>>>
>>>> --
>>>> Jenny Galipeau <jgalipea at redhat.com>
>>>> Principal Software QA Engineer
>>>> Red Hat, Inc. Security Engineering
>>>>
>>>>
>>>>
>>>>
>>> --
>>> Michael Kang(康上明学)
>>> There is a giant asleep within every man. When the giant awakens,miracles
>>> happen.
>>>
>>> Personal blog: http://ufusion.org - United Fusion
>>>
>>>
>>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
> --
>
> David O'Brien
> IPA Content Author
> Red Hat Asia Pacific
> +61 7 3514 8189
>
> "The most valuable of all talents is that of never using two words when
> one will do."
> Thomas Jefferson
>
--
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles
happen.
Personal blog: http://ufusion.org - United Fusion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090924/0f0262da/attachment.htm>
More information about the Freeipa-users
mailing list