On 23.06.2016 09:44, David Kupka wrote:
On 22/06/16 18:56, Simo Sorce wrote:
On Wed, 2016-06-22 at 18:36 +0200, Martin Babinsky wrote:
On 06/22/2016 06:26 PM, Simo Sorce wrote:
On Wed, 2016-06-22 at 09:46 +0200, Martin Babinsky wrote:
On 10/05/2015 03:00 PM, Martin Babinsky wrote:
These patches implement the plumbing required to properly support
canonicalization of Kerberos principals (

Setting multiple principal aliases on hosts/services is beyond the scope
of this patchset and should be done after these patches are pushed.

I will try to send some tests for the patches later this week.

Please review the hell out of them.

Long time no see.

I am attaching rebased infrastructure patches which were reviewed and
tested by David a year ago :). Now that all related DS bugs were fixed
and the patches still work as expected, we may push them so that the
plumbing for further work (API for alias handling etc.) is in place.

If the patches were all reviewed and tested I say push them.


There is one problem remaining, however, that when a user is kinit'ing
for the first name using his alias and has to change password, the
operation fails:

[root@master1 ~]# kinit -C talias
Password for tal...@ipa.test:
kinit: KDC reply did not match expectations while getting initial


This is the related snippet from KDC log:

Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) CLIENT KEY EXPIRED:
tal...@ipa.test for krbtgt/ipa.t...@ipa.test, Password has expired
Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): closing down fd 12
Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) NEEDED_PREAUTH: tal...@ipa.test
for kadmin/chang...@ipa.test, Additional pre-authentication required
Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): closing down fd 12
Jun 22 16:29:28 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) ISSUE: authtime 1466612968, etypes
{rep=18 tkt=18 ses=18}, tal...@ipa.test for kadmin/chang...@ipa.test
Jun 22 16:29:28 master1.ipa.test krb5kdc[31003](info): closing down fd 12


Here is the same command repeated with captured libkrb5 trace:

If I use kinit with the canonical principal everything works as
expected, even with '-C' and '-'E' options. Subsequent kinits using
canonicalization work as expected.

Frankly I have no idea why this happens and I do not know how much this
error blocks us. We may need to investigate this before pizza orders arrive.

I guess the password changing code is making a request without
canonicalization flags set for the kpasswd service.
As you can see the kpasswd case is special because we are making an AS
REQ (not a TGS req) directly for that service, and that request needs to
use canonicalization as well, it probably isn't.



I've reviewed and tested the patches a year ago and now with current master again. The only issue I've found is the problem Martin is describing. User can not kinit with alias after password reset. Since this is not regression I believe the patches can be pushed now. and the issue can be solved together with the rest of missing functionality. ACK!

pushed to master:
* e43231456d8de954423582dbee439e330573d04b perform case-insensitive principal search when canonicalization is requested * 5f963e1ad18fdf52d0b41e143fd12f236b2a1ce7 mark 'ipaKrbPrincipalAlias' attribute as deprecated in schema * 229ab40dd3d21346db8cd6dc65c03285f917271b add case-insensitive matching rule to krbprincipalname index * 3f93f805571c1b791f0c378053ae8ecf37126e7f add krbCanonicalName to attributes watched by MODRDN plugin * 7ed7a86511ec516c2f785968050f5d0a42978ba5 ipa-kdb: set krbCanonicalName when creating new principals * b169a72735fccb170adb5c84ec1bcc10a70e5494 ipa-enrollment: set krbCanonicalName attribute on enrolled host entry * 705f66f7490c64de1adc129221b31927616c485d IPA API: set krbcanonicalname instead of ipakrbprincipalalias on new entities * 1bba2ed45df83684be1d50ef6e1ddb10f7a7d074 set krbcanonicalname on host entry during krbinstance configuration * 06d945a04607dc36e25af78688b4295420489fb9 account for added krbcanonicalname attribute during xmlrpc tests

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to