Hello List We are having problem with changing/reseting password. Even the admin password cannot be changed. During login users with expired passwords are warned that their password has expired and forced to change their password. But when the type new password, the operation fails with error "Authentication token manipulation error" When I tried the change the admin krb5 password from the ipa-server I got the following error "Cannot contact any KDC for requested realm while getting initial credentials" That's surprising because the KDC hostname resolves properly. This what's in the krb5kdc.log each time Jan 12 13:30:27 <a href="http://ipaserver.mycompany.com">ipaserver.mycompany.com</a> krb5kdc[1382](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) <a href="http://192.168.1.12">192.168.1.12</a>: ISSUE: authtime 1294857027, etypes {rep=18 tkt=18 ses=18}, <a href="mailto:admin@MYCOMPANY.COM">admin@MYCOMPANY.COM</a> for kadmin/<a href="mailto:changepw@MYCOMPANY.COM">changepw@MYCOMPANY.COM</a> Jan 12 13:30:39 <a href="http://ipaserver.mycompany.com">ipaserver.mycompany.com</a> krb5kdc[1382](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) <a href="http://192.168.1.12">192.168.1.12</a>: NEEDED_PREAUTH: kadmin/<a href="mailto:changepw@MYCOMPANY.COM">changepw@MYCOMPANY.COM</a> for krbtgt/<a href="http://MYCOMPANY.COM">MYCOMPANY.COM</a>@<a href="http://UZDOMAIN.CA">UZDOMAIN.CA</a>, Additional pre-authentication required Jan 12 13:30:40 <a href="http://ipaserver.mycompany.com">ipaserver.mycompany.com</a> krb5kdc[1382](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) <a href="http://192.168.1.12">192.168.1.12</a>: ISSUE: authtime 1294857040, etypes {rep=18 tkt=18 ses=18}, kadmin/<a href="mailto:changepw@MYCOMPANY.COM">changepw@MYCOMPANY.COM</a> for krbtgt/<a href="http://MYCOMPANY.COM">MYCOMPANY.COM</a>@<a href="http://UZDOMAIN.CA">UZDOMAIN.CA</a> The server is freeipa-2.0 -beta and O/S is fedora 13 Any help will be greatly appreciated Thanks