[Freeipa-users] Ipa migration, from ui cannot change password

James James jreg2k at gmail.com
Fri Sep 21 11:27:15 UTC 2012 

I was mistaken. The password change from the ui works well.

Thanks again for your help.

2012/9/21 James James <jreg2k at gmail.com>

> This is my krb5kdc.log ...
>
> Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes
> {18 17 16 23}) 129.104.11.85: CLIENT KEY EXPIRED: test at LIX.POLYTECHN
> IQUE.FR for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Password has expired
> Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes
> {18 17 16 23}) 129.104.11.85: NEEDED_PREAUTH: test at EXAMPLE.COM for kadmin/
> changepw at EXAMPLE.COM, Additional pre-authentication required
> Sep 21 00:03:14 ipa.example.com krb5kdc[22836](info): AS_REQ (4 etypes
> {18 17 16 23}) 129.104.11.85: ISSUE: authtime 1348178594, etypes {rep=18
> tkt=18 ses=18}, test at EXAMPLE.COM for kadmin/changepw at EXAMPLE.COM
> Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): TGS_REQ (4 etypes
> {18 17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18
> tkt=18 ses=18}, HTTP/ipa.example.com at EXAMPLE.COM for ldap/
> ipa.example.com at EXAMPLE.COM
> Sep 21 00:04:59 ipa.example.com krb5kdc[22836](info): ...
> CONSTRAINED-DELEGATION s4u-client=admin at EXAMPLE.COM
> Sep 21 00:05:08 ipa.example.com krb5kdc[22843](info): TGS_REQ (4 etypes
> {18 17 16 23}) 129.104.11.85: ISSUE: authtime 1348176661, etypes {rep=18
> tkt=18 ses=18}, HTTP/ipa.example.com at EXAMPLE.COM for ldap/
> ipa.example.com at EXAMPLE.COM
>
>
> Thanks
>
>
> 2012/9/21 James James <jreg2k at gmail.com>
>
>> Now, I can read the userPassword field (after the migration process) but
>> I still can't change my password from the ui. I just got :
>>
>> kerberos ticket is no longer valid.
>>
>>
>>
>> 2012/9/20 James James <jreg2k at gmail.com>
>>
>>> It will be fine to have this info in the doc.
>>>
>>>
>>> 2012/9/20 Rob Crittenden <rcritten at redhat.com>
>>>
>>>> Dmitri Pal wrote:
>>>>
>>>>> On 09/20/2012 01:42 PM, Rob Crittenden wrote:
>>>>>
>>>>>> James James wrote:
>>>>>>
>>>>>>> You 're right. The request return :
>>>>>>>
>>>>>>> Enter LDAP Password:
>>>>>>> # extended LDIF
>>>>>>> #
>>>>>>> # LDAPv3
>>>>>>> # base <cn=users,cn=accounts,dc=**example,dc=com> with scope subtree
>>>>>>> # filter: uid=test
>>>>>>> # requesting: userPassword
>>>>>>> #
>>>>>>>
>>>>>>> # test, users, accounts, example.com <http://example.com>
>>>>>>> dn: uid=test,cn=users,cn=accounts,**dc=example,dc=com
>>>>>>>
>>>>>>> # search result
>>>>>>> search: 2
>>>>>>> result: 0 Success
>>>>>>>
>>>>>>> Can you explain me what happens ?
>>>>>>>
>>>>>>> Is there a solution ?
>>>>>>>
>>>>>>
>>>>>> When migrating you need to bind as a user that has read permission on
>>>>>> the userPassword attribute in the remote LDAP server.
>>>>>>
>>>>>
>>>>> Rob should we check if we can read the userPassword attribute and if
>>>>> not
>>>>> fail migration?
>>>>> Should we open a ticket for this?
>>>>> Also I do not think we document the expectation that you vocalized
>>>>> above.
>>>>>
>>>>
>>>> I'll open a ticket to spell this out in the docs.
>>>>
>>>> Checking it in the command would be nice but I don't know about fatal.
>>>> Still, I'll open a ticket for that as well.
>>>>
>>>> rob
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120921/36ca5acb/attachment.htm>

More information about the Freeipa-users mailing list