[Freeipa-users] RES: [Marketing Mail] Re: Expired password change on AIX Client

Luiz Fernando Vianna da Silva luiz.vianna at tivit.com.br
Wed Apr 1 18:08:19 UTC 2015 

Hello Dmitri.

Server is running: ipa-server-3.0.0-37.el6.x86_64
My kerberos configuration looks like this on a client:
# cat /etc/krb5.conf
[libdefaults]
        default_realm = DOMAIN.COM
        default_keytab_name = FILE:/etc/krb5/krb5.keytab
        default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts
        default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts

[realms]
        DOMAIN.COM = {
                kdc = ldap.domain.com:88
                admin_server = ldap.domain.com:749
                default_domain = domain.com
        }

[domain_realm]
        .domain.com = DOMAIN.COM
        ldap.domain.com = DOMAIN.COM

[logging]
        kdc = FILE:/var/krb5/log/krb5kdc.log
        admin_server = FILE:/var/krb5/log/kadmin.log
        kadmin_local = FILE:/var/krb5/log/kadmin_local.log
        default = FILE:/var/krb5/log/krb5lib.log

#

What does the KDC log show?: Where do I get this log from?

Atenciosamente/Best Regards
__________________________________________
Luiz Fernando Vianna da Silva
ITM-I - Operação Cielo
+55 (11) 3626-7126

luiz.vianna at tivit.com.br<mailto:luiz.vianna at tivit.com.br>


T I V I T

Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar
São Paulo - SP - CEP 05804-900
www.tivit.com.br<http://www.tivit.com.br/>

Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação.

De: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] Em nome de Dmitri Pal
Enviada em: quarta-feira, 1 de abril de 2015 13:27
Para: freeipa-users at redhat.com
Assunto: [Marketing Mail] Re: [Freeipa-users] Expired password change on AIX Client

On 04/01/2015 11:14 AM, Luiz Fernando Vianna da Silva wrote:
Hello All.

I’ve searched the archives of this mailing list looking for an answer for this one, but all I found lead me nowhere. ☹
Closest thread to help me was: https://www.redhat.com/archives/freeipa-users/2014-March/msg00153.html

Has anyone figured out a way to have expired password changes work on AIX clients?

I have tried adding “kpasswd_protocol = SET_CHANGE” as well as “kpasswd_protocol = RPCSEC_GSS” to the [realms] section but none of them worked.

Here is the output from an ssh test session for user “teste” on a AIX 7.1 machine:
-bash-4.2$ ssh teste at localhost
################################################################################
#  NICE MOTD
################################################################################

teste at localhost's password:
[KRB5]: 3004-332 Your password has expired.
3004-333 A password change is required.

[KRB5]: 3004-332 Your password has expired.
*******************************************************************************
*                                                                             *
*                                                                             *
*  Welcome to AIX Version 7.1!                                                *
*                                                                             *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to    *
*  this release of the AIX Operating System.                                  *
*                                                                             *
*                                                                             *
*******************************************************************************

################################################################################
# NICE MOTD
################################################################################

WARNING: Your password has expired.
You must change your password now and login again!
Changing password for "teste"
teste's Old password:
teste's New password:
Enter the new password again:
3004-604 Your entry does not match the old password.
Connection to localhost closed.
-bash-4.2$


So you are setting up AIX client using kerberos against IPA server and trying to log with a user that has expired password. Did I get it right?

What version of the server you are using?
How your kerberos configuration looks on a client?
What does the KDC log show?


Atenciosamente/Best Regards
__________________________________________
Luiz Fernando Vianna da Silva
ITM-I - Operação Cielo
+55 (11) 3626-7126

luiz.vianna at tivit.com.br<mailto:luiz.vianna at tivit.com.br>


T I V I T

Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar
São Paulo - SP - CEP 05804-900
www.tivit.com.br<http://www.tivit.com.br/>

Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação.







--

Thank you,

Dmitri Pal



Sr. Engineering Manager IdM portfolio

Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150401/f3afd259/attachment.htm>

More information about the Freeipa-users mailing list