[Freeipa-users] Problem with FreeIPA v2 and kpasswd on Solaris 10

[Miljan Karadzic]

Hi,

I am having problems configuring Solaris 10 client to work with FreeIPA 
v2 server. Everything seems to be working fine except for password 
change. When I try to change the password I get this error:

$ kpasswd
kpasswd: Changing password for user at EXAMPLE.COM.
Old password:
kpasswd: Cannot establish a session with the Kerberos administrative 
server for realm EXAMPLE.COM. Database error! Required KADM5 principal 
missing.

In KDC log I can see this entry:

AS_REQ (6 etypes {18 17 16 23 3 1}) 10.134.19.22: SERVER_NOT_FOUND: 
user at EXAMPLE.COM for changepw/freeipa.example.com at EXAMPLE.COM, Server 
not found in Kerberos database

(freeipa.example.com is my FreeIPA server)

And this is how it looks like when it's working:

AS_REQ (2 etypes {3 1}) 192.101.1.73: NEEDED_PREAUTH: user at EXAMPLE.COM 
for kadmin/changepw at EXAMPLE.COM, Additional pre-authentication required
AS_REQ (2 etypes {3 1}) 192.101.1.73: ISSUE: authtime 1287068308, etypes 
{rep=3 tkt=18 ses=1}, user at EXAMPLE.COM for kadmin/changepw at EXAMPLE.COM
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.10.19.35: NEEDED_PREAUTH: 
kadmin/changepw at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, 
Additional pre-authentication required
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.10.19.35: ISSUE: authtime 
1287068319, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at EXAMPLE.COM 
for krbtgt/EXAMPLE.COM at EXAMPLE.COM
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.10.19.35: ISSUE: authtime 
1287068319, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at EXAMPLE.COM 
for ldap/freeipa.example.com at EXAMPLE.COM

It seems that Solaris is requiring 
changepw/freeipa.example.com at EXAMPLE.COM Kerberos principal for password 
changes, instead of kadmin/changepw at EXAMPLE.COM. I have a landscape with 
AIX, HP-UX, Linux and Solaris servers, and all other systems do not use 
mentioned principal, so this seems to be something specific to Solaris 
(or maybe specific to my configuration :)).

Is there a way to instruct Kerberos client which principal to use for 
password changes? Or, if not, how to add the missing principal (I do not 
see a way of doing it with FreeIPA commands)?

Installed software:

Client:
SUNWkrbr/SUNWkrbu 11.10.0,REV=2005.01.21.16.34

Server:
389-ds-base-1.2.6.1-2.fc13.i686
ipa-admintools-1.9.0.pre4-0.fc13.i686
ipa-client-1.9.0.pre4-0.fc13.i686
ipa-python-1.9.0.pre4-0.fc13.i686
ipa-server-1.9.0.pre4-0.fc13.i686
ipa-server-selinux-1.9.0.pre4-0.fc13.i686
krb5-libs-1.7.1-14.fc13.i686
krb5-server-1.7.1-14.fc13.i686
krb5-server-ldap-1.7.1-14.fc13.i686
krb5-workstation-1.7.1-14.fc13.i686
pam_krb5-2.3.11-1.fc13.i686
python-iniparse-0.4-1.fc13.noarch
python-krbV-1.0.90-1.fc13.i686

Thanks,
Miljan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20101014/104973b2/attachment.htm>