On Wed, 2016-06-22 at 18:36 +0200, Martin Babinsky wrote: > On 06/22/2016 06:26 PM, Simo Sorce wrote: > > On Wed, 2016-06-22 at 09:46 +0200, Martin Babinsky wrote: > >> On 10/05/2015 03:00 PM, Martin Babinsky wrote: > >>> These patches implement the plumbing required to properly support > >>> canonicalization of Kerberos principals ( > >>> https://fedorahosted.org/freeipa/ticket/3864). > >>> > >>> Setting multiple principal aliases on hosts/services is beyond the scope > >>> of this patchset and should be done after these patches are pushed. > >>> > >>> I will try to send some tests for the patches later this week. > >>> > >>> Please review the hell out of them. > >>> > >>> > >>> > >> > >> Long time no see. > >> > >> I am attaching rebased infrastructure patches which were reviewed and > >> tested by David a year ago :). Now that all related DS bugs were fixed > >> and the patches still work as expected, we may push them so that the > >> plumbing for further work (API for alias handling etc.) is in place. > >> > > > > If the patches were all reviewed and tested I say push them. > > > > Simo. > > > > There is one problem remaining, however, that when a user is kinit'ing > for the first name using his alias and has to change password, the > operation fails: > > """ > [root@master1 ~]# kinit -C talias > Password for [email protected]: > kinit: KDC reply did not match expectations while getting initial > credentials > > """ > > This is the related snippet from KDC log: > > """ > Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes > {18 17 16 23 25 26}) 192.168.122.100: CLIENT KEY EXPIRED: > [email protected] for krbtgt/[email protected], Password has expired > Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): closing down fd 12 > Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes > {18 17 16 23 25 26}) 192.168.122.100: NEEDED_PREAUTH: [email protected] > for kadmin/[email protected], Additional pre-authentication required > Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): closing down fd 12 > Jun 22 16:29:28 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes > {18 17 16 23 25 26}) 192.168.122.100: ISSUE: authtime 1466612968, etypes > {rep=18 tkt=18 ses=18}, [email protected] for kadmin/[email protected] > Jun 22 16:29:28 master1.ipa.test krb5kdc[31003](info): closing down fd 12 > > """ > > Here is the same command repeated with captured libkrb5 trace: > https://paste.fedoraproject.org/383358/14666131 > > If I use kinit with the canonical principal everything works as > expected, even with '-C' and '-'E' options. Subsequent kinits using > canonicalization work as expected. > > Frankly I have no idea why this happens and I do not know how much this > error blocks us. We may need to investigate this before pizza orders arrive.
I guess the password changing code is making a request without canonicalization flags set for the kpasswd service. As you can see the kpasswd case is special because we are making an AS REQ (not a TGS req) directly for that service, and that request needs to use canonicalization as well, it probably isn't. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
