heimdal and mit kinit doesn't handle expired credentials
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| heimdal (Debian) |
Fix Released
|
Unknown
|
|||
| heimdal (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| krb5 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Hi.
ubuntu 12.04 i386,amd64
For now kerberos (both - mit and heimdal) kinit doesn't handle expired (or 'must change') passwords. That's a serious regression (lucid is fine) - no integration (pam) into kerberos environments that use password expiration could be done. Tested with heimdal kdc (file and ldap db) and win2008r2 kdc on several machines. This bug stops us from migrating to the next LTS in our environment. Thinking it should be fixed.
Heimdal KDC logs are in the attachment. What I can see in these logs is that lucid heimdal kinit doesn't send REQ-ENC-PA-REP patype while precise kinits send. May this be the reason? If more info is needed please just ask.
How to reproduce:
# apt-get -y install heimdal-kdc
# cat > /etc/krb5.conf
[libdefaults]
default_realm = TEST.LAN
[realms]
TEST.LAN = {
kdc=127.0.0.1
}
# kadmin -l init TEST.LAN
# kadmin -l add test
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:2000-01-01 # Set expiration time to the past
Attributes []:
Policy [default]:
<email address hidden>'s Password:
Verify password - <email address hidden>'s Password:
# apt-get -y install heimdal-clients
# dpkg -l |grep heimdal-clients
ii heimdal-clients 1.6~git20120311
# kinit --version
kinit (Heimdal 1.5.99)
Copyright 1995-2011 Kungliga Tekniska Högskolan
Send bug-reports to <email address hidden>
# kinit test
<email address hidden>'s Password:
kinit: krb5_get_
And no asking for changing password.
# apt-get -y install krb5-user
# dpkg -l |grep krb5-user
ii krb5-user 1.10+dfsg~beta1-2 Basic programs to authenticate using MIT Kerberos
# kinit test
Password for <email address hidden>:
kinit: Generic preauthentication failure while getting initial credentials
And no asking for changing password again.
But kpasswd works fine (heimdal & mit):
# kpasswd test
<email address hidden>'s Password:
Your password will expire at Tue Jan 2 02:59:59 2000
New password for <email address hidden>:
Verify password - New password for <email address hidden>:
Success : Password changed
The same time all works fine with ubuntu 10.04 heimdal (1.2) and freebsd 9.0 heimdal (1.1) (kdc is still from ubuntu 12.04), it does change password if it's required.
Thanks.
| urusha (urusha) wrote | #1 |
| tags: | added: expired heimdal kerberos kinit mit password |
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in heimdal (Ubuntu): | |
| status: | New → Confirmed |
| Changed in krb5 (Ubuntu): | |
| status: | New → Confirmed |
| urusha (urusha) wrote | #4 |
| Changed in heimdal (Debian): | |
| status: | Unknown → New |
| Changed in krb5 (Ubuntu): | |
| assignee: | nobody → Alexander Fieroch (fieroch) |
| assignee: | Alexander Fieroch (fieroch) → nobody |
| Olivier Diotte (vhann3000) wrote | #5 |
| Olivier Diotte (vhann3000) wrote | #6 |
| urusha (urusha) wrote | #7 |
| Changed in krb5 (Ubuntu): | |
| status: | Confirmed → Fix Released |
| Changed in heimdal (Debian): | |
| status: | New → Confirmed |
| Changed in heimdal (Debian): | |
| status: | Confirmed → Fix Released |
| Nish Aravamudan (nacc) wrote | #8 |
| Changed in heimdal (Ubuntu): | |
| status: | Confirmed → Fix Released |
| Nish Aravamudan (nacc) wrote | #9 |
Status changed to 'Confirmed' because the bug affects multiple users.