[Freeipa-users] Problem with Kerberos Authentication
Jenny Galipeau
jgalipea at redhat.com
Thu Sep 24 12:41:54 UTC 2009
Hi Michael:
Let's rule in or out the delegation you added. Can you remove the
delegation and try it? If it works, I think we may have a bug. If it
behaves the same, if you could provide more debug info that would be great.
Thanks
Jenny
Michael Kang wrote:
> Hi David,
>
> I reboot the system after I edit the configure file.
>
> Regard,
> Michael
>
> On Thu, Sep 24, 2009 at 11:13 AM, David O'Brien <davido at redhat.com
> <mailto:davido at redhat.com>> wrote:
>
> Michael,
> did you restart the kdc after you updated the krb5.conf file?
>
> David
>
> Michael Kang wrote:
>
> According to the FreeIPA Client Configure Guide, I realized I
> may miss
> something in my client's krb5.conf. It had been created by
> ipa-client-install script. I never edit it. But there are *no*
> *[realms]* and
> *[domain_realm] *in krb5.conf file.
>
> So I added them, show it below:
>
>
> #File modified by ipa-client-install
>
> [libdefaults]
> default_realm = ARAGON.LOCAL
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> ARAGON.LOCAL = {
> kdc = ipa.aragon.local:88
> admin_server = ipa.aragon.local:749
> default_domain = aragon.local
> }
>
> [domain_realm]
> .aragon.local = ARAGON.LOCAL
> aragon.local = ARAGON.LOCAL
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
>
>
> It doesn't work either by using the new krb5.conf.
> *kinit(v5): Password change failed while getting initial
> credentials*
>
> I'd like to post more detail outputs. Hope it could be helpful.
>
>
> [root at freeipa ~]# kinit admin
> Password for admin at ARAGON.LOCAL:
> [root at freeipa ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at ARAGON.LOCAL
>
> Valid starting Expires Service principal
> 09/23/09 22:52:57 09/24/09 22:52:58
> krbtgt/ARAGON.LOCAL at ARAGON.LOCAL
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> [root at freeipa ~]# ipa-finduser admin
> Full Name: Administrator
> Home Directory: /home/admin
> Login Shell: /bin/bash
> Login: admin
>
> [root at freeipa ~]# ipa-finduser haha
> Full Name: haha haha
> Home Directory: /home/haha
> Login Shell: /bin/sh
> Login: haha
>
>
>
> Regards,
> Michael
>
> On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang
> <wxiluo at gmail.com <mailto:wxiluo at gmail.com>> wrote:
>
>
> Here is client's krb5.conf:
>
> #File modified by ipa-client-install
>
> [libdefaults]
> default_realm = ARAGON.LOCAL
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
>
> EOF
>
>
> On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau
> <jgalipea at redhat.com <mailto:jgalipea at redhat.com>>wrote:
>
>
> Michael Kang wrote:
>
>
> Dear FreeIPA community,
>
> I did try set the new user's initial password. But
> it didn't work either.
> I got a protocol error.
>
> Here is the output of console :
>
> [root at freeipa ~]# kinit admin
> Password for admin at ARAGON.LOCAL:
> [root at freeipa ~]# ipa-passwd haha
> Changing password for haha at ARAGON.LOCAL
> New Password:
> Confirm Password:
> [root at freeipa ~]# kinit haha
> Password for haha at ARAGON.LOCAL:
> Password expired. You must change it now.
> Enter new password:
> Enter it again:
> kinit(v5): Requested protocol version not
> supported while getting
> initial credentials
>
>
>
> Sounds like, a Kerberos V4 request was sent to the
> KDC? What's in the
> client's krb5.conf?
> Jenny
>
>
> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau
> <jgalipea at redhat.com
> <mailto:jgalipea at redhat.com><mailto:
> jgalipea at redhat.com <mailto:jgalipea at redhat.com>>>
> wrote:
>
> Jenny Galipeau wrote:
>
>
> Michael Kang wrote:
>
> Dear FreeIPA community,
>
> I successfully installed FreeIPA this morning. Now
> I got a
> problem about Kerberos Authentication. New user cannot
> modify their password in shell.
>
> Hi Michael:
> Did you set the new user's initial password?
> kinit admin
> ipa passwd haha
> Thanks
> Jenny
>
> Also kinit as haha, because haha will be asked to
> change the
> password on first authentication.
>
> Thanks
> Jenny
>
>
> I added a new user named /haha(group: ipauser)/
> based on
> the webUI. This user is not a existed system user.
> Then I
> added a new Delegations(allow people in group
> ipauser can
> modify password for group ipauser) .
>
> /[michael at freeipa Desktop]$ su - haha/
> /Password: /
>
> /Warning: Your password will expire in less than
> one hour./
> /Warning: password has expired./
> /Kerberos 5 Password: /
> /Warning: Your password will expire in less than
> one hour./
> /New UNIX password: /
> /Retype new UNIX password: /
> /su: incorrect password/
> /[michael at freeipa Desktop]$ su - root/
> /Password: /
> /[root at freeipa ~]# su - haha/
> /su: warning: cannot change directory to
> /home/haha: No
> such file
> or directory/
> /-sh-3.2$ /
>
>
> Root can su - haha successfully. I think that
> means the
> Kerberos works, but new user cannot reset their
> password
> in their shell.
>
> What should I do?
>
> Best Regards,
> Michael
>
> -- Michael Kang(康上明学)
> There is a giant asleep within every man. When the
> giant
> awakens,miracles happen.
>
> Personal blog: http://ufusion.org - United Fusion
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
> -- Jenny Galipeau <jgalipea at redhat.com
> <mailto:jgalipea at redhat.com>
> <mailto:jgalipea at redhat.com
> <mailto:jgalipea at redhat.com>
> Principal Software QA Engineer
> Red Hat, Inc. Security Engineering
>
>
>
>
> --
> Michael Kang(康上明学)
> There is a giant asleep within every man. When the
> giant awakens,miracles
> happen.
>
> Personal blog: http://ufusion.org - United Fusion
>
>
> --
> Jenny Galipeau <jgalipea at redhat.com
> <mailto:jgalipea at redhat.com>>
> Principal Software QA Engineer
> Red Hat, Inc. Security Engineering
>
>
>
> --
> Michael Kang(康上明学)
> There is a giant asleep within every man. When the giant
> awakens,miracles
> happen.
>
> Personal blog: http://ufusion.org - United Fusion
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
>
> David O'Brien
> IPA Content Author
> Red Hat Asia Pacific
> +61 7 3514 8189
>
> "The most valuable of all talents is that of never using two words
> when
> one will do."
> Thomas Jefferson
>
>
>
>
> --
> Michael Kang(康上明学)
> There is a giant asleep within every man. When the giant
> awakens,miracles happen.
>
> Personal blog: http://ufusion.org - United Fusion
--
Jenny Galipeau <jgalipea at redhat.com>
Principal Software QA Engineer
Red Hat, Inc. Security Engineering
More information about the Freeipa-users
mailing list