On 06/22/2016 06:26 PM, Simo Sorce wrote:
On Wed, 2016-06-22 at 09:46 +0200, Martin Babinsky wrote:
On 10/05/2015 03:00 PM, Martin Babinsky wrote:
These patches implement the plumbing required to properly support
canonicalization of Kerberos principals (
https://fedorahosted.org/freeipa/ticket/3864).

Setting multiple principal aliases on hosts/services is beyond the scope
of this patchset and should be done after these patches are pushed.

I will try to send some tests for the patches later this week.

Please review the hell out of them.




Long time no see.

I am attaching rebased infrastructure patches which were reviewed and
tested by David a year ago :). Now that all related DS bugs were fixed
and the patches still work as expected, we may push them so that the
plumbing for further work (API for alias handling etc.) is in place.


If the patches were all reviewed and tested I say push them.

Simo.


There is one problem remaining, however, that when a user is kinit'ing for the first name using his alias and has to change password, the operation fails:

"""
[root@master1 ~]# kinit -C talias
Password for tal...@ipa.test:
kinit: KDC reply did not match expectations while getting initial credentials

"""

This is the related snippet from KDC log:

"""
Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.100: CLIENT KEY EXPIRED: tal...@ipa.test for krbtgt/ipa.t...@ipa.test, Password has expired
Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): closing down fd 12
Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.100: NEEDED_PREAUTH: tal...@ipa.test for kadmin/chang...@ipa.test, Additional pre-authentication required
Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): closing down fd 12
Jun 22 16:29:28 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.100: ISSUE: authtime 1466612968, etypes {rep=18 tkt=18 ses=18}, tal...@ipa.test for kadmin/chang...@ipa.test
Jun 22 16:29:28 master1.ipa.test krb5kdc[31003](info): closing down fd 12

"""

Here is the same command repeated with captured libkrb5 trace: https://paste.fedoraproject.org/383358/14666131

If I use kinit with the canonical principal everything works as expected, even with '-C' and '-'E' options. Subsequent kinits using canonicalization work as expected.

Frankly I have no idea why this happens and I do not know how much this error blocks us. We may need to investigate this before pizza orders arrive.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to