Re: [Freeipa-users] Change Password problems (Unsupported Version)
On 28/09/2011, at 12:27 AM, Nalin Dahyabhai wrote: Additionally, it seems some users can reset their passwords, but the error still appears in the logs, and on the client software: Sep 27 15:08:52 ipa1 kpasswd[2630]: Unsupported version Sep 27 15:09:23 ipa1 kpasswd[2633]: Unsupported version Sep 27 15:09:54 ipa1 kpasswd[2637]: Password change succeeded Are the users who can change their passwords using different client software (specifically, versions of Kerberos, which supplies the kpasswd command) compared to the users who can't? The only difference I know about is that the users who CAN change their passwords have not got an expired password (so they can login and use kpasswd from the shell), whereas those who CANNOT change their password need to reset it before logging in (i.e., they get the 'your password has expired, reset it now etc etc). I updated the kerberos libraries/tools on the CentOS 6.0 box using the Continuous Release repository, and then edited the ldap configuration to get around https://bugzilla.redhat.com/show_bug.cgi?format=multipleid=713525 and users can now reset their passwords on that box during login and on the shell (kpasswd). I'm not sure which of these actually fixed the problem (if any). I'll continue to keep an eye on it for now. It may be as you say, a version difference, although I'm unaware of any large differences in versions between the machines, is kerberos very sensitive to version changes? If you can get a packet capture of a client request, we can examine the first few bytes to check what's triggering the failure. tcpdump says its a V5 packet. I have captured the entire login/reset failure and can email it to you directly if you wish. Thanks, Raal ZettaServe Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this email by mistake and delete this email from your system. Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. ZettaServe Pty Ltd accepts no liability for any damage caused by any virus transmitted by this email. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change Password problems (Unsupported Version)
On Wed, Sep 28, 2011 at 02:49:02PM +0800, Goff, Raal wrote: The only difference I know about is that the users who CAN change their passwords have not got an expired password (so they can login and use kpasswd from the shell), whereas those who CANNOT change their password need to reset it before logging in (i.e., they get the 'your password has expired, reset it now etc etc). I updated the kerberos libraries/tools on the CentOS 6.0 box using the Continuous Release repository, and then edited the ldap configuration to get around https://bugzilla.redhat.com/show_bug.cgi?format=multipleid=713525 and users can now reset their passwords on that box during login and on the shell (kpasswd). I'm not sure which of these actually fixed the problem (if any). Ah, somehow I'd missed that you were running 6.0. If your client systems are using pam_krb5 instead of SSSD, then you're likely hitting https://bugzilla.redhat.com/show_bug.cgi?id=690583, which was fixed in 6.1. I'll continue to keep an eye on it for now. It may be as you say, a version difference, although I'm unaware of any large differences in versions between the machines, is kerberos very sensitive to version changes? It's not supposed to be, and usually isn't. Barring bugs, of course. If you can get a packet capture of a client request, we can examine the first few bytes to check what's triggering the failure. tcpdump says its a V5 packet. I have captured the entire login/reset failure and can email it to you directly if you wish. Sure. The first four bytes encode the message length (the first two bytes) and the protocol version number (the next two), so just that part should actually be enough to verify. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change Password problems (Unsupported Version)
On Wed, Sep 28, 2011 at 01:59:36PM -0400, Nalin Dahyabhai wrote: On Wed, Sep 28, 2011 at 02:49:02PM +0800, Goff, Raal wrote: The only difference I know about is that the users who CAN change their passwords have not got an expired password (so they can login and use kpasswd from the shell), whereas those who CANNOT change their password need to reset it before logging in (i.e., they get the 'your password has expired, reset it now etc etc). I updated the kerberos libraries/tools on the CentOS 6.0 box using the Continuous Release repository, and then edited the ldap configuration to get around https://bugzilla.redhat.com/show_bug.cgi?format=multipleid=713525 and users can now reset their passwords on that box during login and on the shell (kpasswd). I'm not sure which of these actually fixed the problem (if any). Ah, somehow I'd missed that you were running 6.0. If your client systems are using pam_krb5 instead of SSSD, then you're likely hitting https://bugzilla.redhat.com/show_bug.cgi?id=690583, which was fixed in 6.1. He said he was updating the passwords with kpasswd, which should bypass the pam stack and talk to the kpasswd deamon directly, right? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change Password problems (Unsupported Version)
On Wed, Sep 28, 2011 at 09:38:33PM +0200, Jakub Hrozek wrote: He said he was updating the passwords with kpasswd, which should bypass the pam stack and talk to the kpasswd deamon directly, right? The users who can change their passwords can log in and do so with kpasswd, but the ones who can't change their passwords can't log in to run kpasswd because the login-time password change (which goes through PAM) is failing. I expect that users who attempt to change their passwords with the passwd command are also triggering the same bug. Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Change Password problems (Unsupported Version)
Hi, My IPA 2.0 master-slave setup has been working fine up until this week when users started getting problems updating their password due to expiry. Users get the following error when using kpasswd to update their passwords: kinit: krb5_get_init_creds: Unable to reach any changepw server in realm EXAMPLE.COM The only error I seem to find in the logs is unhelpful: Sep 27 15:16:12 ipa1 kpasswd[2689]: Unsupported version Sep 27 15:16:43 ipa1 kpasswd[2692]: Unsupported version Additionally, it seems some users can reset their passwords, but the error still appears in the logs, and on the client software: Sep 27 15:08:52 ipa1 kpasswd[2630]: Unsupported version Sep 27 15:09:23 ipa1 kpasswd[2633]: Unsupported version Sep 27 15:09:54 ipa1 kpasswd[2637]: Password change succeeded It looks like 'Unsupported version' is a reference to 'krb5_kdb_bad_version: Unsupported version in database entry' in the kerberos software, but I can't find any more information regarding it. Has anyone come across this before? Is there any way to recover from it? Regards, -R ZettaServe Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this email by mistake and delete this email from your system. Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. ZettaServe Pty Ltd accepts no liability for any damage caused by any virus transmitted by this email. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change Password problems (Unsupported Version)
On Tue, Sep 27, 2011 at 03:24:24PM +0800, Goff, Raal wrote: My IPA 2.0 master-slave setup has been working fine up until this week when users started getting problems updating their password due to expiry. Users get the following error when using kpasswd to update their passwords: kinit: krb5_get_init_creds: Unable to reach any changepw server in realm EXAMPLE.COM The only error I seem to find in the logs is unhelpful: Sep 27 15:16:12 ipa1 kpasswd[2689]: Unsupported version Sep 27 15:16:43 ipa1 kpasswd[2692]: Unsupported version Those correlate - the ipa_kpasswd daemon logs these messages when it sees a password-change request with an internal version number that doesn't match the version of the protocol that it handles. The client gets no reply, and because it's connectionless, it assumes that it was not able to contact a server. Additionally, it seems some users can reset their passwords, but the error still appears in the logs, and on the client software: Sep 27 15:08:52 ipa1 kpasswd[2630]: Unsupported version Sep 27 15:09:23 ipa1 kpasswd[2633]: Unsupported version Sep 27 15:09:54 ipa1 kpasswd[2637]: Password change succeeded Are the users who can change their passwords using different client software (specifically, versions of Kerberos, which supplies the kpasswd command) compared to the users who can't? If you can get a packet capture of a client request, we can examine the first few bytes to check what's triggering the failure. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users