On Wed, 2016-06-22 at 18:36 +0200, Martin Babinsky wrote:
> On 06/22/2016 06:26 PM, Simo Sorce wrote:
> > On Wed, 2016-06-22 at 09:46 +0200, Martin Babinsky wrote:
> >> On 10/05/2015 03:00 PM, Martin Babinsky wrote:
> >>> These patches implement the plumbing required to properly support
> >>> canonicalization of Kerberos principals (
> >>> https://fedorahosted.org/freeipa/ticket/3864).
> >>>
> >>> Setting multiple principal aliases on hosts/services is beyond the scope
> >>> of this patchset and should be done after these patches are pushed.
> >>>
> >>> I will try to send some tests for the patches later this week.
> >>>
> >>> Please review the hell out of them.
> >>>
> >>>
> >>>
> >>
> >> Long time no see.
> >>
> >> I am attaching rebased infrastructure patches which were reviewed and
> >> tested by David a year ago :). Now that all related DS bugs were fixed
> >> and the patches still work as expected, we may push them so that the
> >> plumbing for further work (API for alias handling etc.) is in place.
> >>
> >
> > If the patches were all reviewed and tested I say push them.
> >
> > Simo.
> >
> 
> There is one problem remaining, however, that when a user is kinit'ing 
> for the first name using his alias and has to change password, the 
> operation fails:
> 
> """
> [root@master1 ~]# kinit -C talias
> Password for tal...@ipa.test:
> kinit: KDC reply did not match expectations while getting initial 
> credentials
> 
> """
> 
> This is the related snippet from KDC log:
> 
> """
> Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes 
> {18 17 16 23 25 26}) 192.168.122.100: CLIENT KEY EXPIRED: 
> tal...@ipa.test for krbtgt/ipa.t...@ipa.test, Password has expired
> Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): closing down fd 12
> Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes 
> {18 17 16 23 25 26}) 192.168.122.100: NEEDED_PREAUTH: tal...@ipa.test 
> for kadmin/chang...@ipa.test, Additional pre-authentication required
> Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): closing down fd 12
> Jun 22 16:29:28 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes 
> {18 17 16 23 25 26}) 192.168.122.100: ISSUE: authtime 1466612968, etypes 
> {rep=18 tkt=18 ses=18}, tal...@ipa.test for kadmin/chang...@ipa.test
> Jun 22 16:29:28 master1.ipa.test krb5kdc[31003](info): closing down fd 12
> 
> """
> 
> Here is the same command repeated with captured libkrb5 trace: 
> https://paste.fedoraproject.org/383358/14666131
> 
> If I use kinit with the canonical principal everything works as 
> expected, even with '-C' and '-'E' options. Subsequent kinits using 
> canonicalization work as expected.
> 
> Frankly I have no idea why this happens and I do not know how much this 
> error blocks us. We may need to investigate this before pizza orders arrive.

I guess the password changing code is making a request without
canonicalization flags set for the kpasswd service.
As you can see the kpasswd case is special because we are making an AS
REQ (not a TGS req) directly for that service, and that request needs to
use canonicalization as well, it probably isn't.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to