[Freeipa-users] Initial login on RHEL 6 fails
Simo Sorce
simo at redhat.com
Mon Jan 9 22:31:52 UTC 2012
On Mon, 2012-01-09 at 12:28 -0900, Erinn Looney-Triggs wrote:
>
[snip]
Looks like the expiration is not updated, I suspect the password change
actually failed.
> A couple of additional notes that may be important. The system to
> which
> I am attempting to authenticate lives in private IP space whereas the
> IPA server is on a public IP.
Does it mean the client system is NATed wrt IPA ?
I think that could make kpasswd fail. I need to check if this has been
addressed in MIT libraries but IIRC it is a known limitation so far.
The kpasswd binary I think specifies the IP address in mk_priv and fails
verification from behind a NAT.
> Second HBAC is in effect on the host so
> the user must be a member of the desktop group in order to
> authenticate.
HBAC is not involved in any way with password changes, so I am confident
you can exclude any correlation.
> These may not have any bearing, or they may who knows.
Yes the NAT part may be your issue.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list