[Freeipa-users] AIX kerberos client to IPA
Hi, I have configured an AIX 6.1 server to connect to a RHEL 6.5 IPA server. The AIX server is configured to use netgroups and all that works for existing the users. The problem is when a users password expires or when a new user is created. They cannot change their password WARNING: Your password has expired. You must change your password now and login again! Changing password for "testuser" testuser's Old password: testuser's New password: Connection to localhost closed. The problem seems to be related to not getting a kerberos ticket as kinit can be used to change the password. Logging is enabled but no logs ever get updated [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log kadmin_local = FILE:/var/krb5/log/kadmin_local.log default = FILE:/var/krb5/log/krb5lib.log Anybody ever come across this? Or know how to get logging working? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AIX kerberos client to IPA
I had this issue, but I gave up. I have my users either log into a Linux box to change passwords or use a web based password reset I set up for them. When your users log in successfully do they have tickets? That's my situation: they can get tickets once they're logged in, but can't change when prompted at login, nor can they change interactively using passwd. If you ever figure anything out let me know, but I spent quite a bit of time on it (once I had the workaround I stopped, though. You may be more persistent.) Good luck, --Jason On Wed, Mar 12, 2014 at 4:52 PM, Rob wrote: > > Hi, > > I have configured an AIX 6.1 server to connect to a RHEL 6.5 IPA server. > The > AIX server is configured to use netgroups and all that works for existing > the > users. > > The problem is when a users password expires or when a new user is created. > They cannot change their password > > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for "testuser" > testuser's Old password: > testuser's New password: > Connection to localhost closed. > > The problem seems to be related to not getting a kerberos ticket as kinit > can > be used to change the password. > > Logging is enabled but no logs ever get updated > > [logging] > kdc = FILE:/var/krb5/log/krb5kdc.log > admin_server = FILE:/var/krb5/log/kadmin.log > kadmin_local = FILE:/var/krb5/log/kadmin_local.log > default = FILE:/var/krb5/log/krb5lib.log > > Anybody ever come across this? Or know how to get logging working? > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AIX kerberos client to IPA
On 12/03/14 22:52, Rob wrote: Hi, I have configured an AIX 6.1 server to connect to a RHEL 6.5 IPA server. The AIX server is configured to use netgroups and all that works for existing the users. The problem is when a users password expires or when a new user is created. They cannot change their password WARNING: Your password has expired. You must change your password now and login again! Changing password for "testuser" testuser's Old password: testuser's New password: Connection to localhost closed. The problem seems to be related to not getting a kerberos ticket as kinit can be used to change the password. Logging is enabled but no logs ever get updated [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log kadmin_local = FILE:/var/krb5/log/kadmin_local.log default = FILE:/var/krb5/log/krb5lib.log Anybody ever come across this? Or know how to get logging working? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users * I am not familiar with AIX. Just quick tip for what we had to do on Solaris to make password changes work - as the issue sounded somewhat familiar... :) We have to set "kpasswd_protocol = SET_CHANGE" to krb5.conf when used with any "non-Solaris KDC". Perhaps you have a similar setting for AIX? * ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AIX kerberos client to IPA
Sigbjorn Lie writes: > > > On 12/03/14 22:52, Rob wrote: > > > > Hi, > > I have configured an AIX 6.1 server to connect to a RHEL 6.5 IPA server. The > AIX server is configured to use netgroups and all that works for existing the > users. > > The problem is when a users password expires or when a new user is created. > They cannot change their password > > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for "testuser" > testuser's Old password: > testuser's New password: > Connection to localhost closed. > > The problem seems to be related to not getting a kerberos ticket as kinit can > be used to change the password. > > Logging is enabled but no logs ever get updated > > [logging] > kdc = FILE:/var/krb5/log/krb5kdc.log > admin_server = FILE:/var/krb5/log/kadmin.log > kadmin_local = FILE:/var/krb5/log/kadmin_local.log > default = FILE:/var/krb5/log/krb5lib.log > > Anybody ever come across this? Or know how to get logging working? > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > I am not familiar with AIX. Just quick tip for what we had to do on Solaris to make password changes work - as the issue sounded somewhat familiar... :) > > We have to set "kpasswd_protocol = SET_CHANGE" to krb5.conf when used with any "non-Solaris KDC". > > Perhaps you have a similar setting for AIX? > > > > > > > > On 12/03/14 22:52, Rob wrote: > > > > Hi, > > I have configured an AIX 6.1 server to connect to a RHEL 6.5 IPA server. The > AIX server is configured to use netgroups and all that works for existing the > users. > > The problem is when a users password expires or when a new user is created. > They cannot change their password > > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for "testuser" > testuser's Old password: > testuser's New password: > Connection to localhost closed. > > The problem seems to be related to not getting a kerberos ticket as kinit can > be used to change the password. > > Logging is enabled but no logs ever get updated > > [logging] > kdc = FILE:/var/krb5/log/krb5kdc.log > admin_server = FILE:/var/krb5/log/kadmin.log > kadmin_local = FILE:/var/krb5/log/kadmin_local.l og > default = FILE:/var/krb5/log/krb5lib.log > > Anybody ever come across this? Or know how to get logging working? > > ___ > Freeipa-users mailing list > mailto:Freeipa- users@...">Freeipa-users@... > https://www.redhat.com/mailman/listinfo/freeipa- users">https://www.redhat.com/mailman/listinfo/freeipa-users > > > > I am not familiar with AIX. Just quick tip for what we had to do on Solaris to make password changes work - as the issue sounded somewhat familiar... :) > > We have to set "kpasswd_protocol = SET_CHANGE" to krb5.conf when used with any "non-Solaris KDC". > > Perhaps you have a similar setting for AIX? > > > Thanks, I tried that option but it didn't seem to make any difference. I've a tech call open with IBM and redhat so I'm hoping between us we can figure out what the problem is. I'll post here with any solution that I might get. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users