Package: heimdal-clients Version: 1.6~git20120311.dfsg.1-2 Severity: important
Heimdal kerberos kinit doesn't handle expired (or 'must change')
passwords. That's a serious regression - no integration (pam) into
kerberos environments that use password expiration could be done.
Tested against heimdal kdc (file and ldap db) and win2008r2 kdc on
several machines.
Heimdal KDC logs are in the attachment. What I can see in these logs
is that heimdal kinit doesn't send REQ-ENC-PA-REP patype while precise
kinits send. May this be the reason?
sid version also affected (1.6~git20120403+dfsg1-1)
How to reproduce:
# apt-get -y install heimdal-kdc
# cat > /etc/krb5.conf
[libdefaults]
default_realm = TEST.LAN
[realms]
TEST.LAN = {
kdc=127.0.0.1
}
^D
# kadmin -l init TEST.LAN
# kadmin -l add test
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:2000-01-01 # Set expiration time to the past
Attributes []:
Policy [default]:
[email protected]'s Password:
Verify password - [email protected]'s Password:
# apt-get -y install heimdal-clients
# kinit --version
kinit (Heimdal 1.5.99)
Copyright 1995-2011 Kungliga Tekniska Högskolan
Send bug-reports to [email protected]
# kinit test
[email protected]'s Password:
kinit: krb5_get_init_creds: Password has expired
And no asking for changing password.
But kpasswd works fine:
# kpasswd test
[email protected]'s Password:
Your password will expire at Tue Jan 2 02:59:59 2000
New password for [email protected]:
Verify password - New password for [email protected]:
Success : Password changed
Expected results:
Kinit should ask for password change, like heimdal kinit from debian
stable (1.4), ubuntu 10.04 (1.2) and freebsd 9.0 (1.1) do:
# kinit test
[email protected]'s Password:
Your password will expire at Tue Jan 2 02:59:59 2000
Changing password
New password:
Repeat new password:
Success : Password changed
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-22-generic (SMP w/8 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages heimdal-clients depends on:
ii krb5-config 2.3
ii libasn1-8-heimdal 1.6~git20120311.dfsg.1-2
ii libc6 2.13-32
ii libedit2 2.11-20080614-3
ii libgssapi3-heimdal 1.6~git20120311.dfsg.1-2
ii libhcrypto4-heimdal 1.6~git20120311.dfsg.1-2
ii libhdb9-heimdal 1.6~git20120311.dfsg.1-2
ii libheimntlm0-heimdal 1.6~git20120311.dfsg.1-2
ii libhx509-5-heimdal 1.6~git20120311.dfsg.1-2
ii libkadm5clnt7-heimdal 1.6~git20120311.dfsg.1-2
ii libkadm5srv8-heimdal 1.6~git20120311.dfsg.1-2
ii libkafs0-heimdal 1.6~git20120311.dfsg.1-2
ii libkrb5-26-heimdal 1.6~git20120311.dfsg.1-2
ii libotp0-heimdal 1.6~git20120311.dfsg.1-2
ii libroken18-heimdal 1.6~git20120311.dfsg.1-2
ii libsl0-heimdal 1.6~git20120311.dfsg.1-2
ii libtinfo5 5.9-7
heimdal-clients recommends no packages.
Versions of packages heimdal-clients suggests:
pn heimdal-docs <none>
pn heimdal-kcm <none>
-- no debconf information
--
Best regards,
Sergey Urushkin
kdc.log
Description: Binary data
