[Freeipa-users] user unable to change password after admin resets pw
Kelvin Edmison
kelvin at kindsight.net
Fri Feb 17 04:23:38 UTC 2012
It turns out I had missed the UDP ports for kerberos (88) and kpasswd (464)
in the firewall configuration.
I had the TCP ports open, just not the UDP ones. I missed the fine print
that said these two ports had to be open via both TCP and UDP. I think this
constitutes a vote of support for
https://fedorahosted.org/freeipa/ticket/2110 :)
While on the topic of firewall configuration, why are the list of ports
different in bug 2110 versus the Red Hat IPA documentation
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_M
anagement_Guide/Preparing_for_an_IPA_Installation.html ?
Bug 2110 appears to skip all the dogtag ports, even though the RedHat IPA
document says that they 'cannot be in use by another service or blocked by a
firewall'.
Cheers,
Kelvin
On 12-02-16 10:52 PM, "Kelvin Edmison" <kelvin at kindsight.net> wrote:
> I had sworn that I had faithfully followed the firewall configs, but this
> was it; thanks! Off to tcpdump to see which port I missed.
>
> Kelvin
>
>
> On 12-02-16 10:21 PM, "Brian Topping" <topping at codehaus.org> wrote:
>
>> Firewall issue? Maybe do a tcpdump on one of the machines while trying this?
>>
>> On Feb 16, 2012, at 10:10 PM, Kelvin Edmison wrote:
>>
>>> Hi all,
>>>
>>> I am trying to roll out ipa as our central authentication system, and am
>>> running into problems with password changes on CentOS 5.
>>>
>>> Scenario:
>>> Admin user resets a user's password.
>>> The user, on a non-IPA-managed system, logs into a CentOS 5 server
>>> (IPA-managed) via ssh. The temporary password is accepted and the user is
>>> immediately prompted to change the password, but the password change fails
>>> with the message 'System is offline, password change not possible'.
>>>
>>> $ ssh kelvin at testhost
>>> kelvin at testhost's password:
>>> Warning: Your password will expire in less than one hour.
>>> Password expired. Change your password now.
>>> Last login: Thu Feb 16 21:54:59 2012 from vpn
>>> WARNING: Your password has expired.
>>> You must change your password now and login again!
>>> Changing password for user kelvin.
>>> Current Password:
>>> New UNIX password:
>>> Retype new UNIX password:
>>> System is offline, password change not possible
>>> Warning: Your password will expire in less than one hour.
>>> Warning: Your password will expire in less than one hour.
>>> passwd: Authentication token manipulation error
>>> Connection to testhost closed.
>>>
>>> What am I missing? Can someone please help me get this working?
>>>
>>> Thanks,
>>> Kelvin
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list