Fwd: [Freeipa-users] Problem with Kerberos Authentication
Michael Kang
wxiluo at gmail.com
Fri Sep 25 13:46:15 UTC 2009
Thank you for telling my about the NSS package bug.
FreeIPA works well on Fedora 11 until now. I want to deploy FreeIPA instead
of Fedora Directory Server to do identity management in my company. I think
there must be many problems and questions which need your help.
Also I'd like to share my journey(FreeIPA exploration) with you guys.
Thank you again,
Michael
On Fri, Sep 25, 2009 at 9:33 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Michael Kang wrote:
>
>>
>>
>> ---------- Forwarded message ----------
>> From: *Michael Kang* <wxiluo at gmail.com <mailto:wxiluo at gmail.com>>
>> Date: Fri, Sep 25, 2009 at 4:09 PM
>> Subject: Re: [Freeipa-users] Problem with Kerberos Authentication
>> To: Jenny Galipeau <jgalipea at redhat.com <mailto:jgalipea at redhat.com>>
>>
>>
>> Dear Jenny Galipeau,
>>
>> Thank you and Everyone who helped me with this project. Thanks for being
>> patient and answering my questions :)
>>
>> My problem was solved by using Fedora 11(upgraded completely). FreeIPA may
>> have bugs with Fedora 9.
>>
>> If I install Fedora 11(not upgrade),then install ipa-server, the Apache
>> crashed many times per seconds. Here is log ouputs:
>>
>> /Apache chill pid xxxx exit singal Segmentation fault(11)/
>>
>
> Yes, this was a bug in the original NSS package that shipped with F-11.
>
>
>> After upgrade the whole system, this problem disappeared. Also new user
>> can pass the Kerberos Authentication and login system successfully.
>>
>> If you want to get the details about bugs on Fedora 9, I could send it for
>> you. Please let me know what do you want.
>>
>
> Fedora 9 isn't supported by Fedora anymore so we don't test on it either.
>
> rob
>
>
>> Thank you again.
>> Michael
>>
>>
>> On Thu, Sep 24, 2009 at 8:41 PM, Jenny Galipeau <jgalipea at redhat.com<mailto:
>> jgalipea at redhat.com>> wrote:
>>
>> Hi Michael:
>>
>> Let's rule in or out the delegation you added. Can you remove the
>> delegation and try it? If it works, I think we may have a bug. If it
>> behaves the same, if you could provide more debug info that would be
>> great.
>>
>> Thanks
>> Jenny
>>
>> Michael Kang wrote:
>>
>> Hi David,
>>
>> I reboot the system after I edit the configure file.
>>
>> Regard,
>> Michael
>>
>> On Thu, Sep 24, 2009 at 11:13 AM, David O'Brien
>> <davido at redhat.com <mailto:davido at redhat.com>
>> <mailto:davido at redhat.com <mailto:davido at redhat.com>>> wrote:
>>
>> Michael,
>> did you restart the kdc after you updated the krb5.conf file?
>>
>> David
>>
>> Michael Kang wrote:
>>
>> According to the FreeIPA Client Configure Guide, I realized
>> I
>> may miss
>> something in my client's krb5.conf. It had been created by
>> ipa-client-install script. I never edit it. But there are
>> *no*
>> *[realms]* and
>> *[domain_realm] *in krb5.conf file.
>>
>> So I added them, show it below:
>>
>>
>> #File modified by ipa-client-install
>>
>> [libdefaults]
>> default_realm = ARAGON.LOCAL
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> [realms]
>> ARAGON.LOCAL = {
>> kdc = ipa.aragon.local:88
>> admin_server = ipa.aragon.local:749
>> default_domain = aragon.local
>> }
>>
>> [domain_realm]
>> .aragon.local = ARAGON.LOCAL
>> aragon.local = ARAGON.LOCAL
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>>
>>
>> It doesn't work either by using the new krb5.conf.
>> *kinit(v5): Password change failed while getting initial
>> credentials*
>>
>> I'd like to post more detail outputs. Hope it could be
>> helpful.
>>
>>
>> [root at freeipa ~]# kinit admin
>> Password for admin at ARAGON.LOCAL:
>> [root at freeipa ~]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: admin at ARAGON.LOCAL
>>
>> Valid starting Expires Service principal
>> 09/23/09 22:52:57 09/24/09 22:52:58
>> krbtgt/ARAGON.LOCAL at ARAGON.LOCAL
>>
>>
>> Kerberos 4 ticket cache: /tmp/tkt0
>> klist: You have no tickets cached
>> [root at freeipa ~]# ipa-finduser admin
>> Full Name: Administrator
>> Home Directory: /home/admin
>> Login Shell: /bin/bash
>> Login: admin
>>
>> [root at freeipa ~]# ipa-finduser haha
>> Full Name: haha haha
>> Home Directory: /home/haha
>> Login Shell: /bin/sh
>> Login: haha
>>
>>
>>
>> Regards,
>> Michael
>>
>> On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang
>> <wxiluo at gmail.com <mailto:wxiluo at gmail.com>
>> <mailto:wxiluo at gmail.com <mailto:wxiluo at gmail.com>>> wrote:
>>
>>
>> Here is client's krb5.conf:
>>
>> #File modified by ipa-client-install
>>
>> [libdefaults]
>> default_realm = ARAGON.LOCAL
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>>
>> EOF
>>
>>
>> On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau
>> <jgalipea at redhat.com <mailto:jgalipea at redhat.com>
>> <mailto:jgalipea at redhat.com <mailto:jgalipea at redhat.com>>>wrote:
>>
>>
>>
>> Michael Kang wrote:
>>
>>
>> Dear FreeIPA community,
>>
>> I did try set the new user's initial
>> password. But
>> it didn't work either.
>> I got a protocol error.
>>
>> Here is the output of console :
>>
>> [root at freeipa ~]# kinit admin
>> Password for admin at ARAGON.LOCAL:
>> [root at freeipa ~]# ipa-passwd haha
>> Changing password for haha at ARAGON.LOCAL
>> New Password:
>> Confirm Password:
>> [root at freeipa ~]# kinit haha
>> Password for haha at ARAGON.LOCAL:
>> Password expired. You must change it now.
>> Enter new password:
>> Enter it again:
>> kinit(v5): Requested protocol version not
>> supported while getting
>> initial credentials
>>
>>
>>
>> Sounds like, a Kerberos V4 request was sent to the
>> KDC? What's in the
>> client's krb5.conf?
>> Jenny
>>
>>
>> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau
>> <jgalipea at redhat.com <mailto:
>> jgalipea at redhat.com>
>> <mailto:jgalipea at redhat.com
>> <mailto:jgalipea at redhat.com>><mailto:
>>
>>
>> jgalipea at redhat.com
>> <mailto:jgalipea at redhat.com> <mailto:jgalipea at redhat.com
>> <mailto:jgalipea at redhat.com>>>>
>> wrote:
>>
>> Jenny Galipeau wrote:
>>
>>
>> Michael Kang wrote:
>>
>> Dear FreeIPA community,
>>
>> I successfully installed FreeIPA this
>> morning. Now
>> I got a
>> problem about Kerberos Authentication. New
>> user cannot
>> modify their password in shell.
>>
>> Hi Michael:
>> Did you set the new user's initial password?
>> kinit admin
>> ipa passwd haha
>> Thanks
>> Jenny
>>
>> Also kinit as haha, because haha will be asked
>> to
>> change the
>> password on first authentication.
>>
>> Thanks
>> Jenny
>>
>>
>> I added a new user named /haha(group: ipauser)/
>> based on
>> the webUI. This user is not a existed system
>> user.
>> Then I
>> added a new Delegations(allow people in group
>> ipauser can
>> modify password for group ipauser) .
>>
>> /[michael at freeipa Desktop]$ su - haha/
>> /Password: /
>>
>> /Warning: Your password will expire in less than
>> one hour./
>> /Warning: password has expired./
>> /Kerberos 5 Password: /
>> /Warning: Your password will expire in less than
>> one hour./
>> /New UNIX password: /
>> /Retype new UNIX password: /
>> /su: incorrect password/
>> /[michael at freeipa Desktop]$ su - root/
>> /Password: /
>> /[root at freeipa ~]# su - haha/
>> /su: warning: cannot change directory to
>> /home/haha: No
>> such file
>> or directory/
>> /-sh-3.2$ /
>>
>>
>> Root can su - haha successfully. I think that
>> means the
>> Kerberos works, but new user cannot reset their
>> password
>> in their shell.
>>
>> What should I do?
>>
>> Best Regards,
>> Michael
>>
>> -- Michael Kang(康上明学)
>> There is a giant asleep within every man.
>> When the
>> giant
>> awakens,miracles happen.
>>
>> Personal blog: http://ufusion.org - United
>> Fusion
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>>>
>>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>>
>>
>> -- Jenny Galipeau <jgalipea at redhat.com
>> <mailto:jgalipea at redhat.com>
>> <mailto:jgalipea at redhat.com
>> <mailto:jgalipea at redhat.com>>
>> <mailto:jgalipea at redhat.com
>> <mailto:jgalipea at redhat.com>
>>
>> <mailto:jgalipea at redhat.com
>> <mailto:jgalipea at redhat.com>>
>> Principal Software QA Engineer
>> Red Hat, Inc. Security Engineering
>>
>>
>>
>>
>> --
>> Michael Kang(康上明学)
>> There is a giant asleep within every man.
>> When the
>> giant awakens,miracles
>> happen.
>>
>> Personal blog: http://ufusion.org - United
>> Fusion
>>
>>
>> --
>> Jenny Galipeau <jgalipea at redhat.com
>> <mailto:jgalipea at redhat.com>
>> <mailto:jgalipea at redhat.com
>> <mailto:jgalipea at redhat.com>>>
>> Principal Software QA Engineer
>> Red Hat, Inc. Security Engineering
>>
>>
>>
>> --
>> Michael Kang(康上明学)
>> There is a giant asleep within every man. When the giant
>> awakens,miracles
>> happen.
>>
>> Personal blog: http://ufusion.org - United Fusion
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>
>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com
>> >>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> --
>> David O'Brien
>> IPA Content Author
>> Red Hat Asia Pacific
>> +61 7 3514 8189
>>
>> "The most valuable of all talents is that of never using two
>> words
>> when
>> one will do."
>> Thomas Jefferson
>>
>>
>>
>>
>> -- Michael Kang(康上明学)
>> There is a giant asleep within every man. When the giant
>> awakens,miracles happen.
>>
>> Personal blog: http://ufusion.org - United Fusion
>>
>>
>>
>> -- Jenny Galipeau <jgalipea at redhat.com <mailto:jgalipea at redhat.com
>> >>
>> Principal Software QA Engineer
>> Red Hat, Inc. Security Engineering
>>
>>
>>
>>
>> --
>> Michael Kang(康上明学)
>> There is a giant asleep within every man. When the giant awakens,miracles
>> happen.
>>
>> Personal blog: http://ufusion.org - United Fusion
>>
>>
>>
>> --
>> Michael Kang(康上明学)
>> There is a giant asleep within every man. When the giant awakens,miracles
>> happen.
>>
>> Personal blog: http://ufusion.org - United Fusion
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
>
--
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles
happen.
Personal blog: http://ufusion.org - United Fusion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090925/2797343f/attachment.htm>
More information about the Freeipa-users
mailing list