[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: using kpasswd with ldap db (0.7.2)
There's also an attribute for the specific principal. I think it
takes precidence for 0.7.2.
I had some problems with Solaris kpasswd after a test upgrade from
0.6.3 that went away when I turned off that attribute somewhere. I
think it was the kadmin/changepw principal which wound up with some
strange combination of attributes after the DB reload into 0.7.2.
Anyway take a look at the attributes of whatever principal is used by
your password change command and make sure they make sense.
On May 31, 2006, at 7:27 AM, Eric Ortego wrote:
> On 5/30/06, Henry B. Hotz <hotz@jpl.nasa.gov> wrote:
>> Does disabling pre-auth have any affect?
> how do I disable it?
> I have the same problem with or without the following in my krb5.conf:
>
> [libdefaults]
> require-preauth = no
>
>
>>
>> On May 24, 2006, at 4:12 AM, Love Hörnquist Åstrand wrote:
>>
>> > "Eric Ortego" <ericortego@gmail.com> writes:
>> >
>> >> My directory hold the kerberos db and was working great untill I
>> >> upgraded to 0.7.2
>> >> What stopped working was kpasswd. I can no longer change a users
>> >> password with it.
>> >> This is the error I get, which is output twice for each passwd
>> >> change attempt:
>> >>
>> >> [kpasswdd] Changing password for eric@MYDOMAIN.COM
>> >> [kpasswdd] kadm5_s_chpass_principal_cond: ldap_modify_s:
>> >> eric@MYDOMAIN.COM (dn=uid=eric,ou=people,dc=mydomain,dc=com)
>> Type or
>> >> value exists: krb5EncryptionType: value #0 provided more than once
>> >>
>> >> The only way I am able to use kpasswd to update passwords is by
>> first
>> >> deleting the entry for krb5EncryptionType
>> >>
>> >> Is this a known bug or possibly some configuration option I have
>> >> overlooked that fixes this?
>> >
>> > I think its a bug somewhere where the krb5EncryptionType is set,
>> but I
>> > can't figure out what it is. If you have time to debug the code
>> its in
>> > lib/hdb/hdb-ldap.c:LDAP_entry2mods() where the krb5EncryptionType
>> > is set.
>> >
>> > if you can't find the error, you can just comment out the while "if
>> > (ent->etypes) { " section in that file.
>> >
>> > Love
>>
>> ---------------------------------------------------------------------
>> ---
>> ----
>> The opinions expressed in this message are mine,
>> not those of Caltech, JPL, NASA, or the US Government.
>> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>>
>>
>>