Aloha Guys, I’ve got a strange problem. I’ve setup my thinclients to authenticate against my Active Directory using kerberos. So far so good. Users can logon to my thinclients running IGEL OS. But when a user tries to logon with a account which has “user must change password on next logon” enabled it fails. The user cannot logon. Our local IGEL tech guy here in the Netherlands tested the same thing is his LAB, and he gets a nice “change password” box. Has anyone seen this behaviour?
Aloha! Yes, a couple of times but it’s difficult to debug such a complex topic without beeing onsite.
Can you give some more informations like: Firmware, AD Type / Version, the type of failure?
You could use a terminal session (Accessories=>Terminal) login as root, and test a few things:
kpasswd your user@yourdomain.nl
enable debug mode: auth.login.krb5_debug
check the /var/log/krb5.log or dmesg | grep krb5
check also the kerberos ticket lifetime in your group policies and on profile side: technet.microsoft.com/en-us/library/jj852188(v=ws.11).aspx
//
auth.krb5.libdefaults.renew_lifetime
auth.krb5.libdefaults.ticket_lifetime
Some more helpful Kerberos commands:
klist
Display kerberos tickets
kinit
Active Directory login
thnx for the reply, after checking the debug logs, I found the problem. the client time and domain controller time were not in sync. There was a difference of 1.5 minutes, did a time sync and now its working perfectly. So thanks for pointing my in the right direction.
You are welcome! That‘s right, thought it was already checked👍
Continue reading and comment on the thread ‘IGEL OS with Active Directory using kerberos – when a user tries to logon with a account which has “user must change password on next logon” enabled it fails’. Not a member? Join Here!
Learn more, search the IGEL Knowledge Base
Ask a question or comment on the above message thread?
Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.Submit a question, or Join Today!