[Freeipa-users] Initial login on RHEL 6 fails
Simo Sorce
simo at redhat.com
Thu Jan 12 01:24:16 UTC 2012
On Mon, 2012-01-09 at 13:42 -0900, Erinn Looney-Triggs wrote:
> On 01/09/2012 01:31 PM, Simo Sorce wrote:
> > On Mon, 2012-01-09 at 12:28 -0900, Erinn Looney-Triggs wrote:
> >>
> > [snip]
> >
> >
> > Looks like the expiration is not updated, I suspect the password change
> > actually failed.
> >
> >> A couple of additional notes that may be important. The system to
> >> which
> >> I am attempting to authenticate lives in private IP space whereas the
> >> IPA server is on a public IP.
> >
> > Does it mean the client system is NATed wrt IPA ?
>
> That is correct.
>
> >
> > I think that could make kpasswd fail. I need to check if this has been
> > addressed in MIT libraries but IIRC it is a known limitation so far.
> > The kpasswd binary I think specifies the IP address in mk_priv and fails
> > verification from behind a NAT.
> >
> >> Second HBAC is in effect on the host so
> >> the user must be a member of the desktop group in order to
> >> authenticate.
> >
> > HBAC is not involved in any way with password changes, so I am confident
> > you can exclude any correlation.
> >
> >> These may not have any bearing, or they may who knows.
> >
> > Yes the NAT part may be your issue.
>
> Yeah my kerb foo is a little rusty but the whole NAT/kerb thing causing
> issues does ring a bell with me too. I will continue to research.
For the MIT 1.10beta1 announcement[1]:
* Allow password changes to work over NATs.
So we will have that working in freeipa 2.2.0/3.0 when used with 1.10
once it is final.
Simo
[1] http://web.mit.edu/kerberos/krb5-1.10/krb5-1.10.html
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list