[Freeipa-users] Re: kpasswd: Preauthentication failed getting initial ticket

Wed, 04 Jul 2018 04:14:15 -0700 

On ke, 04 heinä 2018, lune voo via FreeIPA-users wrote:

Hello Alexander.

I tried to reproduce the error with standard command ipa passwd and kpasswd
in a shell.
I was not able to reproduce the problem (even by using the same passwords).

I also performed another test in python.
I added a loop to retry the kpasswd if it fails with this kind of errors.
If the kpasswd fails with this error, I also added an ipa user-unlock to
prevent the user to be locked.
For the ipa user-unlock, I also uses the ipa python library.
It works at the fourth iteration, but the three first times, it fails with
the error I mentioned before.

Here is the logs I wrote about that :
(don't worry about the credentials, this is a test user that I removed just
after my command)
###
2018-07-03 17:12:36,235;INFO;BEGIN
2018-07-03 17:12:36,235;INFO;Creating user login test_user
2018-07-03 17:12:36,235;INFO;Creating IPA account...
2018-07-03 17:12:45,127;INFO;Generating and setting password for the login
test_user...
2018-07-03 17:12:45,276;INFO;ipa passwd for user test_user has ended with
the following summary : Changed password for "test_user@MYREALM"
2018-07-03 17:12:45,280;INFO;login = test_user, one_time_password =
Kk)4YIRq, password = fJ6f4%(5
2018-07-03 17:12:45,503;INFO;1st kpasswd try
2018-07-03 17:12:45,503;INFO;kpasswd stdout : [47695] 1530630765.283620:
Getting initial credentials for test_user@MYREALM
[47695] 1530630765.283766: FAST armor ccache: FILE:/tmp/krb5cc_testuser
[47695] 1530630765.283812: Retrieving admin@MYREALM ->
krb5_ccache_conf_data/fast_avail/krbtgt\/MYREALM\@MYREALM@X-CACHECONF: from
FILE:/tmp/krb5cc_testuser with result: 0/Success
[47695] 1530630765.283818: Read config in FILE:/tmp/krb5cc_testuser for
krbtgt/MYREALM@MYREALM: fast_avail: yes
[47695] 1530630765.283821: Using FAST due to armor ccache negotiation result
[47695] 1530630765.283831: Getting credentials admin@MYREALM ->
krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser
[47695] 1530630765.283862: Retrieving admin@MYREALM ->
krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success
[47695] 1530630765.283882: Armor ccache sesion key: aes256-cts/2559
[47695] 1530630765.283914: Creating authenticator for admin@MYREALM ->
krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/2FB3, session key
aes256-cts/2559
[47695] 1530630765.284000: FAST armor key: aes256-cts/552F
[47695] 1530630765.284013: Setting initial creds service to kadmin/changepw
[47695] 1530630765.284018: FAST armor ccache: FILE:/tmp/krb5cc_testuser
[47695] 1530630765.284043: Retrieving admin@MYREALM ->
krb5_ccache_conf_data/fast_avail/krbtgt\/MYREALM\@MYREALM@X-CACHECONF: from
FILE:/tmp/krb5cc_testuser with result: 0/Success
[47695] 1530630765.284046: Read config in FILE:/tmp/krb5cc_testuser for
krbtgt/MYREALM@MYREALM: fast_avail: yes
[47695] 1530630765.284048: Using FAST due to armor ccache negotiation result
[47695] 1530630765.284055: Getting credentials admin@MYREALM ->
krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser
[47695] 1530630765.284076: Retrieving admin@MYREALM ->
krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success
[47695] 1530630765.284082: Armor ccache sesion key: aes256-cts/2559
[47695] 1530630765.284094: Creating authenticator for admin@MYREALM ->
krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/7296, session key
aes256-cts/2559
[47695] 1530630765.284126: FAST armor key: aes256-cts/1070
[47695] 1530630765.284139: Encoding request body and padata into FAST
request
[47695] 1530630765.284176: Sending request (1019 bytes) to MYREALM
[47695] 1530630765.284263: Resolving hostname ipamasterhostname
[47695] 1530630765.284544: Initiating TCP connection to stream
ipamasterIP:88

How is this client finding a KDC? Is it using resolving via DNS SRV
records? Or is it forcibly configured to only talk to a single master?

If you have multiple masters and you are talking to a different master
after a password change done on some master, chances are that the other
master doesn't yet have the change propagated.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/BDMX6H7KJA7SZUERL4CC2DHYJ7T7CF73/

Reply via email to