[Freeipa-users] AIX kerberos client to IPA
Rob
robert.roche at xerox.com
Tue Mar 18 14:19:56 UTC 2014
Sigbjorn Lie <sigbjorn at ...> writes:
>
>
> On 12/03/14 22:52, Rob wrote:
>
>
>
> Hi,
>
> I have configured an AIX 6.1 server to connect to a RHEL 6.5 IPA server.
The
> AIX server is configured to use netgroups and all that works for existing
the
> users.
>
> The problem is when a users password expires or when a new user is
created.
> They cannot change their password
>
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for "testuser"
> testuser's Old password:
> testuser's New password:
> Connection to localhost closed.
>
> The problem seems to be related to not getting a kerberos ticket as kinit
can
> be used to change the password.
>
> Logging is enabled but no logs ever get updated
>
> [logging]
> kdc = FILE:/var/krb5/log/krb5kdc.log
> admin_server = FILE:/var/krb5/log/kadmin.log
> kadmin_local = FILE:/var/krb5/log/kadmin_local.log
> default = FILE:/var/krb5/log/krb5lib.log
>
> Anybody ever come across this? Or know how to get logging working?
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> I am not familiar with AIX. Just quick tip for what we had to do on
Solaris to make password changes work - as the issue sounded somewhat
familiar... :)
>
> We have to set "kpasswd_protocol = SET_CHANGE" to krb5.conf when used with
any "non-Solaris KDC".
>
> Perhaps you have a similar setting for AIX?
>
>
>
>
>
>
> <div>
> <div class="moz-cite-prefix">On 12/03/14 22:52, Rob wrote:<br>
> </div>
> <blockquote cite="mid:loom.20140312T224425-846 at ..." type="cite">
>
> Hi,
>
> I have configured an AIX 6.1 server to connect to a RHEL 6.5 IPA server.
The
> AIX server is configured to use netgroups and all that works for existing
the
> users.
>
> The problem is when a users password expires or when a new user is
created.
> They cannot change their password
>
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for "testuser"
> testuser's Old password:
> testuser's New password:
> Connection to localhost closed.
>
> The problem seems to be related to not getting a kerberos ticket as kinit
can
> be used to change the password.
>
> Logging is enabled but no logs ever get updated
>
> [logging]
> kdc = <a class="moz-txt-link-freetext"
href="FILE:/var/krb5/log/krb5kdc.log">FILE:/var/krb5/log/krb5kdc.log</a>
> admin_server = <a class="moz-txt-link-freetext"
href="FILE:/var/krb5/log/kadmin.log">FILE:/var/krb5/log/kadmin.log</a>
> kadmin_local = <a class="moz-txt-link-freetext"
href="FILE:/var/krb5/log/kadmin_local.log">FILE:/var/krb5/log/kadmin_local.l
og</a>
> default = <a class="moz-txt-link-freetext"
href="FILE:/var/krb5/log/krb5lib.log">FILE:/var/krb5/log/krb5lib.log</a>
>
> Anybody ever come across this? Or know how to get logging working?
>
> _______________________________________________
> Freeipa-users mailing list
> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-
users at ...">Freeipa-users at ...</a>
> <a class="moz-txt-link-freetext"
href="https://www.redhat.com/mailman/listinfo/freeipa-
users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
>
> </blockquote>
>
> I am not familiar with AIX. Just quick tip for what we had to do on
Solaris to make password changes work - as the issue sounded somewhat
familiar... :)
>
> We have to set "kpasswd_protocol = SET_CHANGE" to krb5.conf when used with
any "non-Solaris KDC".
>
> Perhaps you have a similar setting for AIX?
>
> </div>
>
Thanks, I tried that option but it didn't seem to make any difference. I've
a tech call open with IBM and redhat so I'm hoping between us we can figure
out what the problem is.
I'll post here with any solution that I might get.
More information about the Freeipa-users
mailing list