Ubuntu
krb5 package

Can't change kerberos password

Bug #715765 reported by Thomas Schweikle
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)
Expired
Medium
Unassigned

Bug Description

$ kpasswd
Password for <email address hidden>:
Enter new password:
Enter it again:
Server error: Failed decrypting request

Trying with passwd:
$ passwd
Ändern des Passworts für user.
(aktuelles) UNIX-Passwort:
passwd: Fehler beim Ändern des Authentifizierungstoken
passwd: password unchanged

It is impossible to change the password. /etc/krb5.conf:
[libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_kdc = false
        dns_lookup_realm = false
        kdc_timesync = 1
        ccache_type = 4
        no-addresses = true
        forwardable = true
        proxiable = true

[realms]
        EXAMPLE.COM = {
                kdc = 192.168.1.4
                admin_server = 192.168.1.4
                default_domain = example.com
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

[login]
        krb4_convert = true
        krb4_get_tickets = false

[logging]
        default = FILE:/var/log/kerberos/krb5lib.log

I'll handed a tgt login in:
$ klist -f5
Ticket cache: FILE:/tmp/krb5cc_2023
Default principal: <email address hidden>

Valid starting Expires Service principal
02/07/11 14:49:30 02/08/11 00:49:30 <email address hidden>
        renew until 02/08/11 14:49:31, Flags: FPRIA
02/07/11 18:28:29 02/08/11 00:49:30 <email address hidden>
        renew until 02/08/11 14:49:31, Flags: FPRAT
$

I can call kadmin:
$ kadmin
Authenticating as principal <email address hidden> with password.
Password for <email address hidden>:
kadmin:

It is no problem to change the password then.
None of the hosts has IPv6-Addresses. There all at IPv4.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: krb5-user 1.8.1+dfsg-5ubuntu0.2
Uname: Linux 2.6.36.3 x86_64
Architecture: amd64
Date: Wed Feb 9 14:24:46 2011
ProcEnviron:
 PATH=(custom, user)
 LANG=de_DE.utf8
 SHELL=/bin/bash
SourcePackage: krb5

Revision history for this message
Thomas Schweikle (tps) wrote :
Revision history for this message
Scott Moser (smoser) wrote :

Hi,
  A couple questions that might help a developer look at this:
a.) Do you know if this occurs only on 10.10 or have you seen it on other Ubuntu releases or do you know that it was not a problem on another Ubuntu release.
b.) do you know if this is a problem with other linux clients?
c.) have you tried using upstream?

Changed in krb5 (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Russ Allbery (rra-debian) wrote : Re: Can't change kerberos password, pam-krb5 try_first_pass also fails

This bug was introduced in MIT Kerberos 1.10. After a failing authentication with preauth required in a particular Kerberos context, all subsequent authentications in that context that require preauth will fail. Upstream has fixed this with commit 25822.

This is a fairly serious issue, blocking not only password change but any other situation where multiple passwords are tried in the same context, such as try_first_pass with PAM modules. You may want to try to fix this before the precise release.

summary: - Can't change kerberos password
+ Can't change kerberos password, pam-krb5 try_first_pass also fails
Changed in krb5 (Ubuntu):
status: Triaged → Confirmed
Revision history for this message
Russ Allbery (rra-debian) wrote :

Actually, now that I look more at this, this may be an unrelated problem. The problem I encountered was reported upstream as a password change problem, but this may be a slightly different issue. I'll open another bug about the failed second authentication problem.

Russ Allbery (rra-debian)
summary: - Can't change kerberos password, pam-krb5 try_first_pass also fails
+ Can't change kerberos password
Revision history for this message
Steve Langasek (vorlon) wrote :

Setting this back to 'triaged', which is the more-better bug state in LP.

Changed in krb5 (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Russ Allbery (rra-debian) wrote : Re: [Bug 715765] Re: Can't change kerberos password

Steve Langasek <email address hidden> writes:

> Setting this back to 'triaged', which is the more-better bug state in
> LP.

Thanks. I tried to do that but it didn't let me (probably not enough
access bits).

--
Russ Allbery (<email address hidden>) <http://www.eyrie.org/~eagle/>

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I tried with xenial (krb5 1.13.2+dfsg-5ubuntu2) and precise (krb5 1.10+dfsg~beta1-2ubuntu0.7) and kpasswd worked in both cases when having the principal created with the preauth flag (it was hinted this could have been the problem).

This is on precise (1.10):
kadmin.local: addprinc +requires_preauth ubuntu
WARNING: no policy specified for ubuntu@PRECISE; defaulting to no policy
Enter password for principal "ubuntu@PRECISE":
Re-enter password for principal "ubuntu@PRECISE":
Principal "ubuntu@PRECISE" created.

Client (also precise, 1.10):
ubuntu@precise-krb5-client:~$ kinit
Password for ubuntu@PRECISE:

ubuntu@precise-krb5-client:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu@PRECISE

Valid starting Expires Service principal
01/05/2017 19:22 02/05/2017 05:22 krbtgt/PRECISE@PRECISE
 renew until 02/05/2017 19:22

ubuntu@precise-krb5-client:~$ kpasswd
Password for ubuntu@PRECISE:
Enter new password:
Enter it again:
Password changed.

ubuntu@precise-krb5-client:~$ klist -f5
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu@PRECISE

Valid starting Expires Service principal
01/05/2017 19:22 02/05/2017 05:22 krbtgt/PRECISE@PRECISE
 renew until 02/05/2017 19:22, Flags: FPRIA

Server log:
May 1 19:22:19 precise-krb5-server krb5kdc[5357]: AS_REQ (4 etypes {18 17 16 23}) 10.0.100.232: NEEDED_PREAUTH: ubuntu@PRECISE for krbtgt/PRECISE@PRECISE, Additional pre-authentication required
May 1 19:22:20 precise-krb5-server krb5kdc[5357]: AS_REQ (4 etypes {18 17 16 23}) 10.0.100.232: ISSUE: authtime 1493666540, etypes {rep=18 tkt=18 ses=18}, ubuntu@PRECISE for krbtgt/PRECISE@PRECISE
May 1 19:22:25 precise-krb5-server krb5kdc[5357]: AS_REQ (4 etypes {18 17 16 23}) 10.0.100.232: NEEDED_PREAUTH: ubuntu@PRECISE for kadmin/changepw@PRECISE, Additional pre-authentication required
May 1 19:22:27 precise-krb5-server krb5kdc[5357]: AS_REQ (4 etypes {18 17 16 23}) 10.0.100.232: ISSUE: authtime 1493666547, etypes {rep=18 tkt=18 ses=18}, ubuntu@PRECISE for kadmin/changepw@PRECISE
May 1 19:22:33 precise-krb5-server kadmind[5361]: chpw request from 10.0.100.232 for ubuntu@PRECISE: success

This is an old bug, I'll mark it as incomplete so that it expires if there are no further comments.

Changed in krb5 (Ubuntu):
status: Triaged → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for krb5 (Ubuntu) because there has been no activity for 60 days.]

Changed in krb5 (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.