Ubuntu Servers :: CANNOT Change Password, Kerberos + LDAP?
Jul 29, 2010
I have installed servers(10.04 LTS Server) with Kerberos + LDAP, now I can ssh to all those servers and login with kerberos principle. But when I want to change password, I got such error:
Code:
Current Kerberos password:
Enter new Kerberos password:
Retype new Kerberos password:
Password change rejected: Password not changed.
Kerberos database constraints violated while trying to change password.
passwd: Authentication token manipulation error
passwd: password unchanged
I have search this issue but cannot any useful information. Would someone give me a direction?
View 1 Replies
ADVERTISEMENT
Feb 7, 2011
I've currently got Ubuntu server configured so that clients can login using LDAP user accounts that I've created using ldapadduser (from the ldapscripts package).
I've also got NFS exports working so that /home can be exported to clients. Kerberos authentication is enabled for NFS and clients require a nfs/clienthostname.domain principal to be able to mount the NFS share.
However, I now realise that for LDAP users to be able to access the mount they need their own Kerberos principal. If I run kinit dan@DANBISHOP.ORG then I can access /home/dan as user dan otherwise I get permission denied.
My question then is how best to proceed... is there a way to configure the client/server so that once a client has mounted the nfs share using Kerberos, all users can access it without their own principal?
It seems more usual to create kerberos principles for all users, but then how does one manage users? Using ldapscripts is very easy, but if the admin then has to manually create kerberos principals everytime, it could become very tedious. Furthermore how do users change their password if kerberos is used for authentication?
View 1 Replies
View Related
Apr 21, 2010
I setup openldap and samba on 9.10. The ubuntu desktop client gets authenticated successfully with the server. But when I do a passwd on the client, only the ldap passwd is getting changed but not in the samba and the unix user account.
My smb.conf
Code:
passdb backend = ldapsam:ldap://192.168.3.100
ldap suffix = dc=example,dc=local
ldap user suffix = ou=People
ldap group suffix = ou=Groups
[code].....
But only the ldap password is getting changed and not in the samba and unix user account.
I tried
unix password sync = yes
but same result.
View 1 Replies
View Related
Apr 13, 2011
I have a problem with my fedora workstation.I am trying to change my ldap user password through passwd command.When I first create the user on ldap server, I use md5 and create the user password.This is the entry:
Code:
dn: uid=boo,ou=People,dc=linux,dc=gettolandia,dc=org
uid: boo
[code]....
View 3 Replies
View Related
Aug 12, 2010
I have configured Ldap Server in CentOS 5.4 & it's working fine, the problem is when I create a ldapuser from server the user can login in client machine but the user has no rights to change the password. How to rectify this by using commands.
View 2 Replies
View Related
May 12, 2011
I am using CentOS 5.6 and recently, well since I updated to 5.6 when I login through ssh/telnet I am prompted to change the password of any account which is my LDAP directory. Local accounts are unaffected. I haven't tried the console as this server is tucked away in a tiny room. This is really annoying because I don't want to run password expiry on that server and I'm sure that there's nothing in LDAP to indicate password expiry is on. My shadowmax is 9999 by default for every account..which is over 27 years I think. It's only started recently. I'd like to know how I can turn the expiry message off. I'd like to get rid of cracklib as well.
my etc/pam.d/sshd is
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
View 6 Replies
View Related
Jun 5, 2009
I have configured LDAP Server on RHEL 5.2 successfully and client can login to the server. But I do no how a client can change its LDAP password on his client machine.
View 5 Replies
View Related
Jul 7, 2010
I need to host a user directory and home directors on a Ubuntu 10.04 box. I've installed openLDAP and I can connect a mac to it. how to install the mac schema or add users etc to it. I can view the directory in Workgroup Manager on Mac OS X Server but I also dont know how to set the admin username or password.
View 5 Replies
View Related
Apr 21, 2011
I am integrating my Unix box to the Windows AD using PAM_LDAP and Kerberos enabled. I was wondering, since Kerberos is enabled is there any point to enable SSL on my LDAP.conf? My understanding is that since Kerberos is enabled, therefore the username/password is sent securely there isn't any benefit of enabling SSL on the LDAP.conf? It's one of or another.
View 1 Replies
View Related
Apr 21, 2011
I am confused with the concept of Kerberos and LDAP SSL. I am in the midst of integrating my Unix box with the Active Directory hence the use of PAM_LDAP method. I understand that since it's non-secure transmission hence We use Kerberos to authenticate. If we already used kerberos to authenticate i.e. it means that the username/password is not transmitted in clear text. Why we still need LDAP SSL? What is the benefit?
View 3 Replies
View Related
May 26, 2011
In the OpenSUSE documentation I red this very exciting chapter Chapter 6. Network Authentication with Kerberos That mentions "Using LDAP and Kerberos" which combined with NFSv4 would give my office net functionality of a M$ Win network.
We are still on 11.2 (we have no win clients at all) and I was testing different setups of 11.4 in VM, but I can't get YaST to configure the LDAP with Kerberos setup (our current setup does not use Kerberos only LDAP). Unfortunately I could not find any meaningful HOWTO on how to do it in SuSE. The page in docs involves editing config files, but I would like to avoid this, because from my former experience with Samba, as it would mean I cannot use yast anymore and that is sad.
Is there a way to configure LDAP + Kerberos (in terms of issuing of krb tickets at login) with YaST?
PS: I basically need Kerberos for NFS and Intranet site.
View 5 Replies
View Related
Jul 27, 2011
I am interested learning about networks in Linux and prefer to use Ubuntu. I hope the title is reflects what I really need to know. If not sorry about that.I have an requirement, it is to have a server to handle authenticaition of users so generally users can use that server to use specific services such as login (to linux), mail (postfix) and perhaps a file server (to hold user data, lets say what we have on /home/[username])I did some reading, and it looks like I will need LDAP and Kerberos. But I couldn't get a good understanding on how to practically deploy such a service.I would be obliged if some you guys can give me some guidelines on how to achieve my goal. Topics I need to read, books I could refer would be a plus.To tell you some thing about me, I am not a *NIX guy, my knowledge is kinda just above basic.
View 1 Replies
View Related
Feb 10, 2010
I maintain a samba PDC for a small business, our current setup does not work very well; on a hardware upgrade I directled imported the old ldap database and attempting to add machines to the domain causes all sorts of trouble.
I'm 95% sure the original database (which predates my employment) was created using the idealx smb-ldap tools, unfortunately on our current platform (debian lenny) these tools seem to be broken; the only things hey seem to do reliably are set passwords and add posix users, asking them to do anything involving samba/windows causes errors. The idealx tools seem to be abandoned, and I don't know enough perl to try and fix them.
Since the idealx scripts seem to be abandoned, and most of the good samba+ldap how-tos references the idealx tools, I was wondering what people use nowadays to manage there ldap directories; surely they aren't importing .ldif files to add new users/machines like I've been doing. Are people just writing thier own management scripts/web-apps? Or are the smb=ldap tools just broke on debian?how to generate the NT/LM password hashes and proper SIDs, does anybody have anything they could point me to about this?
View 1 Replies
View Related
Jan 20, 2010
I've got 8.10 of Ubuntu and currently running openLDAP and have SAMBA domain using this along with the PAM changes on all machines to authenticate the logins.Now I've got a situation where I need to change the organization it currently is dc=mycomp, dc=local and I need to change the "local" part.
I thought that I could slapcat it out then change all dc=local to dc=blech and then reload the LDAP database. Then go around and change all the ldap configuration points to match.I don't think its as simple as change the base dn and everything below that will update.
View 1 Replies
View Related
Mar 15, 2011
I recently set up a LDAP server, and have a server using it to authenticate users.
That works completely, but when a user tries to use passwd to change his password this happens.
Code:
And this is in /var/log/auth.log
Code:
View 1 Replies
View Related
May 21, 2010
I've setup an openldap server, and am trying to add .ldif files to the database.
I am constantly getting the following error, no matter what I do:
View 18 Replies
View Related
Apr 23, 2011
we're running an Ubuntu 10.04 LTS network on our company, authenticating against an Openldap/heimdal-kerberos server.Previously, the clients were authenticating against a Windows 2003 Domain without any problems.After modifying the krb.conf, ldap.conf, nsswitch.conf and nscd.conf files to authenticate the machines against the openldap/heimdal setup, we started experiencing strange problems.
One issue is, for example, the polkit-agent-gnome not starting. This component integrates policykit into gnome. It looks like the agent is unable to start due to some kind of delay with DBUS. Starting the agent manually keeps giving errors until about 70 seconds after login, when the agent can be started without problems. During the delay it is also impossible, for instance, to open the "shut down" menu on the top right of gnome. You can click on the menu, but nothing appears.Trying to start the polkit-agent manually gives these errors (I'll be attaching detailed errors when at work!):
Code:
DBus error org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken
GLIB ERROR ** default - Not enough memory to set up DBusConnection for use with GLib It really looks like DBus or something related to it is starting "too late" but I can't seem to find the reason. I'm pretty sure this has to do with some timings or whatever in the krb/ldap config files...
View 3 Replies
View Related
Dec 10, 2009
I wish to setup a network that works like windows but for with lunix of course!. It will need to be able to handle security/DNS/DHCP & Document store from one location. I've been doing some reading and have found that I think I need to be using one of the following:
LDAP
NIS
Kerberos
I have looked at a few Linux based OS's. I did notice that when you install fedora live desktop it gives you the option to connect to one of the above. So I am looking for a complete solution.
1. How to setup fedora to act as server for my needs (or other Linux build)
2. Add fedora/linux mint machines to server to use new security settings. (or other linux build)
View 3 Replies
View Related
Feb 19, 2010
I am trying to deploy Kerberos and LDAP so users will be able to login in to a server on the edge of the LAN, and afterwards be able to establish a SSH connection to all the computers in that LAN without the need to type any passwords, and without the need for me to manage SSH keys [beside the SSH keys on the login server] and local user accounts.
1. When i create the users in OpenLDAP i use a template that i created by reading documentation from the Internet. In the template one piece of information that is neede is the UID. Is there any clever way the keep track of the numbers so i do not assign the same UID to two users, besides using a pen and paper?
2. For the users to be able to establish SSH connections between the computers, the host is going to be added to the keytab like this: ktadd host/client.example.com Is is possible to replace client with something genric so i do not need to mange these keytab files between the hosts?
3. Users will be logging on the the server on the edge of LAN by using SSH keys. How can i configure the setup so the users will recieve a ticket automatically when the logon without executing kinit and without entering a password, just by having a valid SSH key?
4. krb5kdc is running on all the network interfaces in the server i want it to only run on eth1, how can this be done?
View 2 Replies
View Related
Aug 5, 2011
We have an employee that left our place of business on bad terms and his computer has been locked out since. The comp runs Ubuntu 10.10.
We have followed the regular password reset methods online but the Kerberos password seems to be getting in the way. We have no idea was this password is and it seems impossible to work around. Does anybody know a way?
Were were about to gain access as the root user but cannot access other user accounts as the root user.
View 1 Replies
View Related
May 13, 2011
I'm trying to login to a server using gssapi-with-mic authentication against one of my school's machines that supports this mode of authentication. I have these kerberos packages installed:
batrick@menzoberranzan:~$ dpkg -l | grep krb
ii krb5-config 2.2 Configuration files for Kerberos Version 5
[code]....
View 1 Replies
View Related
Aug 3, 2010
I just took a job and the admin password for the AFS is missing. How do I find/reset this password? I have the root password for the machine it is installed on.
View 4 Replies
View Related
Jun 8, 2011
I have set up my KDC and telnet in the same server.
I am trying to telnet from a local PC . This is the output I am getting ..
[sudip@kdcclient root]$ telnet -a -F -x kdc
Trying 192.168.1.3...
Connected to kdc.example.local (192.168.1.3).
Escape character is '^]'.
[Code]....
So why it is asking for password ? What I am missing here ?
View 3 Replies
View Related
Jan 15, 2010
I have a Kerberos/LDAP/OpenAFS server running on Debian lenny, set up according to Davor Ocelic's excellent guide here (url). SSHd has ben configured to use GSSAPI auth and the clients have been configured to pass auth tokens through to the server.
My clients are all Ubuntu 9.10 x86 fully patched. On the clients, OpenAFS has been compiled and installed as a kernel module and git 1.6.6 has been compiled from source and installed. Otherwise, all software is stock Ubuntu repository-ware.
The setup is working fine as long as I connect to the primary server using its hostname:
peter@client01:~$ ssh nana
<connection goes through seamlessly without prompting>
peter@nana:~$
If I try to connect via a DNS alias (actually a second CNAME record), I get:
peter@client01:~$ ssh git1
peter@git1's password:
<connection completes>
peter@nana:~$
I need both passwordless auth and the DNS alias working, as it's internal policy that user connections are only ever made to service names, not real hostnames.
I have tried adding a second host principal to Kerberos for the alias (git1.darling.local) in addition to the host principal for the hostname (nana.darling.local).
If I turn off PasswordAuthentication in sshd_config, then "ssh git1" doesn't even fall through to passwords; it just denies logins. So it looks like it's not even using GSSAPI for the DNS alias.
So:
1) Is what I want even possible? I can't find anything that indicates that there's anything odd about DNS aliases such that this should happen.
2) Which config files should I post to help debug this? There's a lot and I didn't want to start blarfing them here if they aren't helpful.
View 1 Replies
View Related
Oct 15, 2010
I am running ubuntu 10.04 64 bit with Centos Directory Server centralizedauthentication tool. I can log in just fine with my ubuntu client, however when go to my Directory Server and tell it to require a password change on reset for any of my users, the ubuntu client doesn't require the user to reset their password. the reason I need this to work is so I can reset a users password from the Directory server and then have it use what I set it to for their next login attempt but then require them to set their own password. After days of searching I have only found out that it can be done by setting the option in Directory Server but Ubuntu 10.04 seems to just ignore the option. I am using the libnss-ldapd and libpam-ldapd packages on the Ubuntu client because the libnss-ldap and libpam-ldap didn't work at all, what am I missing?
View 1 Replies
View Related
Jul 20, 2010
How to change pass all user VSFTPD via ftp client, web, ...? Gene6FTP could change by command: site pswd oldpass newpass. So, how can vsftpd do it?
View 3 Replies
View Related
Dec 29, 2010
i have 2 machines:
first machine: Samba
second machine: LDAP + Kerberos
I found to many tutorials that samba is installed on the same machine as LDAP + Kerberos. is there like a tutorial how samba can be integrated with kerberos from different machine?
View 1 Replies
View Related
Apr 6, 2010
I can't open 754/tcp por for kerberos propagation, the service is krb_prop.The file /etc/xinetd.conf:
Code:
defaults
{
[code]....
View 3 Replies
View Related
Dec 25, 2010
I am having trouble with setting up BIND9 for 6 virtual servers that use ubuntu x64 v10.10. I have main server running ubuntu as well. host name is xeonserver I would like to explain my setup first.
my router ip: 192.168.1.1/24 host server for VMs ip: 192.168.1.2/24 Then on qemu my virtual machines are in 10.0.0.0/24 network, gateway to my router is 10.0.0.1
1. kerberos.xeonserver (not configured yet) 10.0.0.2
2. dns.xeonserver (the one I have trouble with) 10.0.0.3
3. mysql.xeonserver (not configured yet) 10.0.0.4
4. apache.xeonserver (not configured yet) 10.0.0.5
5. ftp.xeonserver (not configured yet) 10.0.0.6
6. mail.xeonserver (not configured yet) 10.0.0.7
To configure it I followed instructions found on [URL]
[Code]...
View 1 Replies
View Related
Jan 8, 2010
hello i am trying to change my password, but when i type in the new password i get this:"The password is longer than 8 characters. On some systems, this can cause problems. You can truncate the password to 8 characters, or leave it as it is."my question is what kind of problem could i get and how can i change so i have to log in every time i start the computer?
View 9 Replies
View Related
