Discussion:
[Freeipa-users] Cannot contact any KDC for requested realm changing password
Robert Marcano
2009-06-23 01:25:20 UTC
Permalink
This weekend one of our ipa servers was moved from one subnet to
another new, all IPs, gateways, DNS references (including SRV records
and reverse records) were changed. Since that change We have this
problem, It is not possible for any user to change the password using
kpasswd (or using kinit for an expired password), the error message is
"Cannot contact any KDC for requested realm changing password",
everyone can kinit without problems,

[***@ipaserver ~]# kpasswd
Password for ***@MYDOMAIN.COM:
Enter new password:
Enter it again:
kpasswd: Cannot contact any KDC for requested realm changing password

/var/log/krb5kdc.log says (values altered to protect the inocent)

Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.x.y: NEEDED_PREAUTH:
***@MYDOMAIN.COM for kadmin/***@MYDOMAIN.COM, Additional
pre-authentication required
Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.x.y: NEEDED_PREAUTH:
***@MYDOMAIN.COM for kadmin/***@MYDOMAIN.COM, Additional
pre-authentication required
Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.x.y: ISSUE: authtime 1245705451,
etypes {rep=18 tkt=18 ses=18}, ***@MYDOMAIN.COM for
kadmin/***@MYDOMAIN.COM
Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.x.y: ISSUE: authtime 1245705451,
etypes {rep=18 tkt=18 ses=18}, ***@MYDOMAIN.COM for
kadmin/***@MYDOMAIN.COM

In order to discard if it is a firewall problem, we disabled it, and
tested kpasswd on the same ipa server. We are running with SELinux
permissive trying to test if it is SELinux related. DNS SRV records
are being resolved on the IPA server. Running FreeIPA 1.2

This problems looks more Kerberos related than a FreeIPA problem, but
I am running out of ideas about the probable reason.

Any help is really appreciated
--
Robert Marcano
Ismael Puerto
2009-06-23 05:46:14 UTC
Permalink
Restart the service ipa-kpasswd

Ismael Puerto
Post by Robert Marcano
This weekend one of our ipa servers was moved from one subnet to
another new, all IPs, gateways, DNS references (including SRV records
and reverse records) were changed. Since that change We have this
problem, It is not possible for any user to change the password using
kpasswd (or using kinit for an expired password), the error message is
"Cannot contact any KDC for requested realm changing password",
everyone can kinit without problems,
kpasswd: Cannot contact any KDC for requested realm changing password
/var/log/krb5kdc.log says (values altered to protect the inocent)
Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7
pre-authentication required
Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7
pre-authentication required
Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.x.y: ISSUE: authtime 1245705451,
Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.x.y: ISSUE: authtime 1245705451,
In order to discard if it is a firewall problem, we disabled it, and
tested kpasswd on the same ipa server. We are running with SELinux
permissive trying to test if it is SELinux related. DNS SRV records
are being resolved on the IPA server. Running FreeIPA 1.2
This problems looks more Kerberos related than a FreeIPA problem, but
I am running out of ideas about the probable reason.
Any help is really appreciated
--
Robert Marcano
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
________________________________________________________________________________
ADVERTENCIA LEGAL
Este mensaje va dirigido, de manera exclusiva, a su destinatario y contiene información confidencial y sujeta al secreto profesional, cuya divulgación no está permitida por la ley. En caso de haber recibido este mensaje por error, le rogamos que, de forma inmediata, nos lo comunique mediante correo electrónico remitido a nuestra atención o a través del teléfono (+ 34) 915 943 776 y proceda a su eliminación, así como a la de cualquier documento adjunto al mismo. Asímismo, le comunicamos que la distribución, copia o utilización de este mensaje, o de cualquier documento adjunto al mismo, cualquiera que fuera su finalidad, están prohibidas por la ley.

Le informamos, como destinatario de este mensaje, que el correo electrónico y las comunicaciones por medio de Internet no permiten asegurar ni garantizar la confidencialidad de los mensajes transmitidos, así como tampoco su integridad o su correcta recepción, por lo que el emisor no asume responsabilidad alguna por tales circunstancias. Si no consintiese en la utilización del correo electrónico o de las comunicaciones vía Internet le rogamos nos lo comunique y ponga en nuestro conocimiento de manera inmediata.
________________________________________________________________________________

PRIVILEGED AND CONFIDENTIAL
This message is intended exclusively for the person to whom it is addressed and contains privileged and confidential information protected from disclosure by law. If you are not the addressee indicated in this message, you should immediately delete it and any attachments and notify the sender by reply e-mail or by phone(+ 34) 915 943 776. In such case, you are hereby notified that any dissemination, distribution, copying or use of this message or any attachments, for any purpose, is strictly prohibited by law.
We hereby inform you, as addressee of this message, that e-mail and Internet do not guarantee the confidentiality, nor the completeness or proper reception of the messages sent and, thus, the sender does not assume any liability for those circumstances. Should you not agree to the use of e-mail or to communications via Internet, you are kindly requested to notify us immediately.
Robert Marcano
2009-06-23 15:58:13 UTC
Permalink
Post by Robert Marcano
This weekend one of our ipa servers was moved from one subnet to
another new, all IPs, gateways, DNS references (including SRV records
and reverse records) were changed. Since that change We have this
problem, It is not possible for any user to change the password using
kpasswd (or using kinit for an expired password), the error message is
"Cannot contact any KDC for requested realm changing password",
everyone can kinit without problems,
strace tells me that it is contacting the right server (connect API),
so it is not name resolving related. This problem has the same
behavior than fixed bug 446210
https://bugzilla.redhat.com/show_bug.cgi?id=446210#c23

The fix was to build against openldap, but that was for 1.1.x
versions, 1.2.x are not build against openldap, but to mozldap. it is
weird this problem is triggered after a subnet change and DNS
resolution is working fine
--
Robert Marcano
Simo Sorce
2009-06-30 13:12:14 UTC
Permalink
Post by Robert Marcano
Post by Robert Marcano
This weekend one of our ipa servers was moved from one subnet to
another new, all IPs, gateways, DNS references (including SRV records
and reverse records) were changed. Since that change We have this
problem, It is not possible for any user to change the password using
kpasswd (or using kinit for an expired password), the error message is
"Cannot contact any KDC for requested realm changing password",
everyone can kinit without problems,
strace tells me that it is contacting the right server (connect API),
so it is not name resolving related. This problem has the same
behavior than fixed bug 446210
https://bugzilla.redhat.com/show_bug.cgi?id=446210#c23
The fix was to build against openldap, but that was for 1.1.x
versions, 1.2.x are not build against openldap, but to mozldap. it is
weird this problem is triggered after a subnet change and DNS
resolution is working fine
Have you changed the server name by chance ?

Simo.
--
Simo Sorce * Red Hat, Inc * New York
Loading...