[Freeipa-users] Change Password problems (Unsupported Version)

[Nalin Dahyabhai]

On Tue, Sep 27, 2011 at 03:24:24PM +0800, Goff, Raal wrote:
> My IPA 2.0 master-slave setup has been working fine up until this week when users started getting problems updating their password due to expiry. Users get the following error when using kpasswd to update their passwords:
> 
> kinit: krb5_get_init_creds: Unable to reach any changepw server  in realm EXAMPLE.COM
> 
> The only error I seem to find in the logs is unhelpful:
> 
> Sep 27 15:16:12 ipa1 kpasswd[2689]: Unsupported version
> Sep 27 15:16:43 ipa1 kpasswd[2692]: Unsupported version

Those correlate - the ipa_kpasswd daemon logs these messages when it
sees a password-change request with an internal version number that
doesn't match the version of the protocol that it handles.  The client
gets no reply, and because it's connectionless, it assumes that it was
not able to contact a server.

> Additionally, it seems some users can reset their passwords, but the error still appears in the logs, and on the client software:
> 
> Sep 27 15:08:52 ipa1 kpasswd[2630]: Unsupported version
> Sep 27 15:09:23 ipa1 kpasswd[2633]: Unsupported version
> Sep 27 15:09:54 ipa1 kpasswd[2637]: Password change succeeded

Are the users who can change their passwords using different client
software (specifically, versions of Kerberos, which supplies the kpasswd
command) compared to the users who can't?

If you can get a packet capture of a client request, we can examine the
first few bytes to check what's triggering the failure.

HTH,

Nalin