[Freeipa-users] Expired password change on AIX Client
Dmitri Pal
dpal at redhat.com
Thu Apr 2 13:20:45 UTC 2015
On 04/01/2015 02:28 PM, Luiz Fernando Vianna da Silva wrote:
>
> Hello Dmitri.
>
> Server is running: ipa-server-3.0.0-37.el6.x86_64
>
> My kerberos configuration looks like this on a client:
>
> # cat /etc/krb5.conf
>
> [libdefaults]
>
> default_realm = DOMAIN.COM
>
> default_keytab_name = FILE:/etc/krb5/krb5.keytab
>
> default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts
> des-cbc-md5 des-cbc-crc aes128-cts
>
> default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts
> des-cbc-md5 des-cbc-crc aes128-cts
>
> [realms]
>
> DOMAIN.COM = {
>
> kdc = ldap.domain.com:88
>
> admin_server = ldap.domain.com:749
>
> default_domain = domain.com
>
> }
>
> [domain_realm]
>
> .domain.com = DOMAIN.COM
>
> ldap.domain.com = DOMAIN.COM
>
> [logging]
>
> kdc = FILE:/var/krb5/log/krb5kdc.log
>
> admin_server = FILE:/var/krb5/log/kadmin.log
>
> kadmin_local = FILE:/var/krb5/log/kadmin_local.log
>
> default = FILE:/var/krb5/log/krb5lib.log
>
> #
>
> What does the KDC log show?: Where do I get this log from?
>
/var/log/krb5kdc.log
> Atenciosamente/Best Regards
>
> *__________________________________________*
>
> *Luiz Fernando Vianna da Silva*
>
> ITM-I - Operação Cielo
>
> +55 (11) 3626-7126
>
> luiz.vianna at tivit.com.br <mailto:luiz.vianna at tivit.com.br>
>
> *T I V I T
> **
> *Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar
>
> São Paulo - SP - CEP 05804-900
>
> www.tivit.com.br <http://www.tivit.com.br/>
>
> Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu
> conteúdo é restrito ao destinatário da mensagem. Caso você a tenha
> recebido por engano, queira, por favor, retorná-la ao destinatário e
> apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou
> disseminação desta mensagem ou parte dela é expressamente proibido. A
> TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta
> informação.
>
> *De:*freeipa-users-bounces at redhat.com
> <mailto:freeipa-users-bounces at redhat.com>
> [mailto:freeipa-users-bounces at redhat.com] *Em nome de *Dmitri Pal
> *Enviada em:* quarta-feira, 1 de abril de 2015 13:27
> *Para:* freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> *Assunto:* [Marketing Mail] Re: [Freeipa-users] Expired password
> change on AIX Client
>
> On 04/01/2015 11:14 AM, Luiz Fernando Vianna da Silva wrote:
>
> Hello All.
>
> I’ve searched the archives of this mailing list looking for an
> answer for this one, but all I found lead me nowhere. L
>
> Closest thread to help me was:
> https://www.redhat.com/archives/freeipa-users/2014-March/msg00153.html
>
> Has anyone figured out a way to have expired password changes work
> on AIX clients?
>
> I have tried adding “kpasswd_protocol = SET_CHANGE” as well as
> “kpasswd_protocol = RPCSEC_GSS” to the [realms] section but none
> of them worked.
>
> Here is the output from an ssh test session for user “teste” on a
> AIX 7.1 machine:
>
> -bash-4.2$ ssh teste at localhost
>
> ################################################################################
>
> # NICE MOTD
>
> ################################################################################
>
> teste at localhost's password:
>
> [KRB5]: 3004-332 Your password has expired.
>
> 3004-333 A password change is required.
>
> [KRB5]: 3004-332 Your password has expired.
>
> *******************************************************************************
>
> * *
>
> * *
>
> * Welcome to AIX Version
> 7.1! *
>
> * *
>
> * *
>
> * Please see the README file in /usr/lpp/bos for information
> pertinent to *
>
> * this release of the AIX Operating System.
> *
>
> * *
>
> * *
>
> *******************************************************************************
>
> ################################################################################
>
> # NICE MOTD
>
> ################################################################################
>
> WARNING: Your password has expired.
>
> You must change your password now and login again!
>
> Changing password for "teste"
>
> teste's Old password:
>
> teste's New password:
>
> Enter the new password again:
>
> 3004-604 Your entry does not match the old password.
>
> Connection to localhost closed.
>
> -bash-4.2$
>
>
> So you are setting up AIX client using kerberos against IPA server and
> trying to log with a user that has expired password. Did I get it right?
>
> What version of the server you are using?
> How your kerberos configuration looks on a client?
> What does the KDC log show?
>
> Atenciosamente/Best Regards
>
> *__________________________________________*
>
> *L**uiz Fernando Vianna da Silva*
>
> ITM-I - Operação Cielo
>
> +55 (11) 3626-7126
>
> luiz.vianna at tivit.com.br <mailto:luiz.vianna at tivit.com.br>
>
> *T I V I T
> **
> *Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar
>
> São Paulo - SP - CEP 05804-900
>
> www.tivit.com.br <http://www.tivit.com.br/>
>
> Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu
> conteúdo é restrito ao destinatário da mensagem. Caso você a tenha
> recebido por engano, queira, por favor, retorná-la ao destinatário e
> apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou
> disseminação desta mensagem ou parte dela é expressamente proibido. A
> TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta
> informação.
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150402/b990c15a/attachment.htm>
More information about the Freeipa-users
mailing list