[Freeipa-users] Problem with FreeIPA v2 and kpasswd on Solaris 10

Miljan Karadzic miljank at gmail.com
Thu Oct 14 22:42:14 UTC 2010 

  On 10/14/10 9:50 PM, Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Miljan Karadzic wrote:
>>> Hi,
>>>
>>> I am having problems configuring Solaris 10 client to work with FreeIPA
>>> v2 server. Everything seems to be working fine except for password
>>> change. When I try to change the password I get this error:
>>>
>>> $ kpasswd
>>> kpasswd: Changing password for user at EXAMPLE.COM.
>>> Old password:
>>> kpasswd: Cannot establish a session with the Kerberos administrative
>>> server for realm EXAMPLE.COM. Database error! Required KADM5 principal
>>> missing.
>>>
>>> In KDC log I can see this entry:
>>>
>>> AS_REQ (6 etypes {18 17 16 23 3 1}) 10.134.19.22: SERVER_NOT_FOUND:
>>> user at EXAMPLE.COM for changepw/freeipa.example.com at EXAMPLE.COM, Server
>>> not found in Kerberos database
>>>
>>> (freeipa.example.com is my FreeIPA server)
>>>
>>> And this is how it looks like when it's working:
>>>
>>> AS_REQ (2 etypes {3 1}) 192.101.1.73: NEEDED_PREAUTH: user at EXAMPLE.COM
>>> for kadmin/changepw at EXAMPLE.COM, Additional pre-authentication required
>>> AS_REQ (2 etypes {3 1}) 192.101.1.73: ISSUE: authtime 1287068308, 
>>> etypes
>>> {rep=3 tkt=18 ses=1}, user at EXAMPLE.COM for kadmin/changepw at EXAMPLE.COM
>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.10.19.35: NEEDED_PREAUTH:
>>> kadmin/changepw at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM,
>>> Additional pre-authentication required
>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.10.19.35: ISSUE: authtime
>>> 1287068319, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at EXAMPLE.COM
>>> for krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.10.19.35: ISSUE: authtime
>>> 1287068319, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at EXAMPLE.COM
>>> for ldap/freeipa.example.com at EXAMPLE.COM
>>>
>>> It seems that Solaris is requiring
>>> changepw/freeipa.example.com at EXAMPLE.COM Kerberos principal for 
>>> password
>>> changes, instead of kadmin/changepw at EXAMPLE.COM. I have a landscape 
>>> with
>>> AIX, HP-UX, Linux and Solaris servers, and all other systems do not use
>>> mentioned principal, so this seems to be something specific to Solaris
>>> (or maybe specific to my configuration :)).
>>>
>>> Is there a way to instruct Kerberos client which principal to use for
>>> password changes? Or, if not, how to add the missing principal (I do 
>>> not
>>> see a way of doing it with FreeIPA commands)?
>>>
>>> Installed software:
>>>
>>> Client:
>>> SUNWkrbr/SUNWkrbu 11.10.0,REV=2005.01.21.16.34
>>>
>>> Server:
>>> 389-ds-base-1.2.6.1-2.fc13.i686
>>> ipa-admintools-1.9.0.pre4-0.fc13.i686
>>> ipa-client-1.9.0.pre4-0.fc13.i686
>>> ipa-python-1.9.0.pre4-0.fc13.i686
>>> ipa-server-1.9.0.pre4-0.fc13.i686
>>> ipa-server-selinux-1.9.0.pre4-0.fc13.i686
>>> krb5-libs-1.7.1-14.fc13.i686
>>> krb5-server-1.7.1-14.fc13.i686
>>> krb5-server-ldap-1.7.1-14.fc13.i686
>>> krb5-workstation-1.7.1-14.fc13.i686
>>> pam_krb5-2.3.11-1.fc13.i686
>>> python-iniparse-0.4-1.fc13.noarch
>>> python-krbV-1.0.90-1.fc13.i686
>>>
>>> Thanks,
>>> Miljan
>>
>> The good news is that I can reproduce this on my Solaris 10 system. The
>> bad news is I'm not sure what the solution is yet. I'll keep looking.
>> regards
>>
>
> I can't test this completely because for some reason kinit is 
> segfaulting on my machine. I can get it to use the right principal for 
> kpasswd though, try adding kpasswd_protocol = SET_CHANGE to your 
> [realm] section in /etc/krb/krb5.conf, something like:
>
> [realms]
>         EXAMPLE.COM = {
>                 kdc = freeipa.example.com:88
>                 admin_server = freeipa.example.com:749
>                 kpasswd_protocol = SET_CHANGE
>         }
>
> rob

Hi Rob,

After adding kpasswd_protocol entry into krb5.conf file, kpasswd is 
using correct principal, but now it fails before setting the new password.

$ kpasswd
kpasswd: Changing password for user at EXAMPLE.COM.
Old password:
New password:
New password (again):
kpasswd: Malformed request error

And password is not changed after this. KDC log says:

AS_REQ (6 etypes {18 17 16 23 3 1}) 10.134.19.22: NEEDED_PREAUTH: 
user at EXAMPLE.COM for kadmin/changepw at EXAMPLE.COM, Additional 
pre-authentication required
AS_REQ (6 etypes {18 17 16 23 3 1}) 10.134.19.22: ISSUE: authtime 
1287095138, etypes {rep=18 tkt=18 ses=18}, user at EXAMPLE.COM for 
kadmin/changepw at EXAMPLE.COM

I'll take a closer look at this tomorrow, as it is quite late here. :)

More information about the Freeipa-users mailing list