On 28/09/2011, at 12:27 AM, Nalin Dahyabhai wrote:
Additionally, it seems some users can reset their passwords, but the error
still appears in the logs, and on the client software:
Sep 27 15:08:52 ipa1 kpasswd[2630]: Unsupported version
Sep 27 15:09:23 ipa1 kpasswd[2633]: Unsupported version
Sep 27 15:09:54 ipa1 kpasswd[2637]: Password change succeeded
Are the users who can change their passwords using different client
software (specifically, versions of Kerberos, which supplies the kpasswd
command) compared to the users who can't?
The only difference I know about is that the users who CAN change their
passwords have not got an expired password (so they can login and use kpasswd
from the shell), whereas those who CANNOT change their password need to reset
it before logging in (i.e., they get the 'your password has expired, reset it
now etc etc). I updated the kerberos libraries/tools on the CentOS 6.0 box
using the Continuous Release repository, and then edited the ldap configuration
to get around
https://bugzilla.redhat.com/show_bug.cgi?format=multipleid=713525 and users
can now reset their passwords on that box during login and on the shell
(kpasswd). I'm not sure which of these actually fixed the problem (if any).
I'll continue to keep an eye on it for now. It may be as you say, a version
difference, although I'm unaware of any large differences in versions between
the machines, is kerberos very sensitive to version changes?
If you can get a packet capture of a client request, we can examine the
first few bytes to check what's triggering the failure.
tcpdump says its a V5 packet. I have captured the entire login/reset failure
and can email it to you directly if you wish.
Thanks,
Raal
ZettaServe Disclaimer: This email and any files transmitted with it are
confidential and intended solely for the use of the individual or entity to
whom they are addressed. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately if you have received this email by mistake and delete this email
from your system. Computer viruses can be transmitted via email. The recipient
should check this email and any attachments for the presence of viruses.
ZettaServe Pty Ltd accepts no liability for any damage caused by any virus
transmitted by this email.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users