[Freeipa-users] Initial login on RHEL 6 fails
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Thu Jan 12 07:43:10 UTC 2012
On 01/11/2012 04:24 PM, Simo Sorce wrote:
> On Mon, 2012-01-09 at 13:42 -0900, Erinn Looney-Triggs wrote:
>> On 01/09/2012 01:31 PM, Simo Sorce wrote:
>>> On Mon, 2012-01-09 at 12:28 -0900, Erinn Looney-Triggs wrote:
>>>>
>>> [snip]
>>>
>>>
>>> Looks like the expiration is not updated, I suspect the password change
>>> actually failed.
>>>
>>>> A couple of additional notes that may be important. The system to
>>>> which
>>>> I am attempting to authenticate lives in private IP space whereas the
>>>> IPA server is on a public IP.
>>>
>>> Does it mean the client system is NATed wrt IPA ?
>>
>> That is correct.
>>
>>>
>>> I think that could make kpasswd fail. I need to check if this has been
>>> addressed in MIT libraries but IIRC it is a known limitation so far.
>>> The kpasswd binary I think specifies the IP address in mk_priv and fails
>>> verification from behind a NAT.
>>>
>>>> Second HBAC is in effect on the host so
>>>> the user must be a member of the desktop group in order to
>>>> authenticate.
>>>
>>> HBAC is not involved in any way with password changes, so I am confident
>>> you can exclude any correlation.
>>>
>>>> These may not have any bearing, or they may who knows.
>>>
>>> Yes the NAT part may be your issue.
>>
>> Yeah my kerb foo is a little rusty but the whole NAT/kerb thing causing
>> issues does ring a bell with me too. I will continue to research.
>
> For the MIT 1.10beta1 announcement[1]:
>
> * Allow password changes to work over NATs.
>
>
> So we will have that working in freeipa 2.2.0/3.0 when used with 1.10
> once it is final.
>
> Simo
>
> [1] http://web.mit.edu/kerberos/krb5-1.10/krb5-1.10.html
>
Ah well that is quite nice. From my reading it looks like the kpasswd
over nat bit has been on a standard track to allow this to happen for
the last 8 years or so, so I wasn't holding out a lot of hope.
Thanks for pointing this out,
-Erinn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120111/6a812e85/attachment.sig>
More information about the Freeipa-users
mailing list