> Hi, > > this is still the same pattern. Would it be possible to get a network > trace to better understand how the KDC reply looks like and what might > not be as expected by libkrb5? > > Additionally, can you try to set the password for the user with the > expired password with > > KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST..... > > and send the output? > > bye, > Sumit > > > Hi there. I work with Mateo. We are sending the network capture in some minutes, but to get ahead I am sending the other test:
# KRB5_TRACE=/dev/stdout kpasswd u...@adtest.xxx.xxx.xx [47521] 1647008539.753136: Getting initial credentials for u...@adtest.xxx.xxx.xx [47521] 1647008539.753137: FAST armor ccache: KCM:0:84390 [47521] 1647008539.753138: Retrieving host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF: from KCM:0:84390 with result: -1765328243/Matching credential not found [47521] 1647008539.753139: Setting initial creds service to kadmin/changepw [47521] 1647008539.753140: FAST armor ccache: KCM:0:84390 [47521] 1647008539.753141: Retrieving host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF: from KCM:0:84390 with result: -1765328243/Matching credential not found [47521] 1647008539.753143: Sending unauthenticated request [47521] 1647008539.753144: Sending request (179 bytes) to ADTEST.XXX.XXX.XX [47521] 1647008539.753145: Initiating TCP connection to stream 10.2.100.4:88 [47521] 1647008540.776855: Initiating TCP connection to stream 10.2.100.3:88 [47521] 1647008540.776856: Sending TCP request to stream 10.2.100.3:88 [47521] 1647008540.776857: Received answer (278 bytes) from stream 10.2.100.3:88 [47521] 1647008540.776858: Terminating TCP connection to stream 10.2.100.4:88 [47521] 1647008540.776859: Terminating TCP connection to stream 10.2.100.3:88 [47521] 1647008540.776860: Response was from master KDC [47521] 1647008540.776861: Received error from KDC: -1765328359/Additional pre-authentication required [47521] 1647008540.776864: Preauthenticating using KDC method data [47521] 1647008540.776865: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (19) [47521] 1647008540.776866: Selected etype info: etype aes256-cts, salt "ADTEST.XXX.XXX.XXusu5", params "\x00\x00\x10\x00" [47521] 1647008540.776867: PKINIT client has no configured identity; giving up [47521] 1647008540.776868: PKINIT client has no configured identity; giving up [47521] 1647008540.776869: Preauth module pkinit (16) (real) returned: 22/Invalid argument Password for u...@adtest.xxx.xxx.xx: [47521] 1647008555.456745: AS key obtained for encrypted timestamp: aes256-cts/0DAE [47521] 1647008555.456747: Encrypted timestamp (for 1647008555.462202): plain 301AA011180F32303232303331313134323233355AA1050203070D7A, encrypted 588F164716268F95639456AEE7589886245643006D4F7B630289E1E745736D8B9037356B398C63F122292C02AAB12E25883A00C2E266E84C [47521] 1647008555.456748: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [47521] 1647008555.456749: Produced preauth for next request: PA-ENC-TIMESTAMP (2) [47521] 1647008555.456750: Sending request (257 bytes) to ADTEST.XXX.XXX.XX [47521] 1647008555.456751: Initiating TCP connection to stream 10.2.100.4:88 [47521] 1647008556.458248: Initiating TCP connection to stream 10.2.100.3:88 [47521] 1647008556.458249: Sending TCP request to stream 10.2.100.3:88 [47521] 1647008556.458250: Received answer (1438 bytes) from stream 10.2.100.3:88 [47521] 1647008556.458251: Terminating TCP connection to stream 10.2.100.4:88 [47521] 1647008556.458252: Terminating TCP connection to stream 10.2.100.3:88 [47521] 1647008556.458253: Response was from master KDC [47521] 1647008556.458254: Processing preauth types: PA-PW-SALT (3) [47521] 1647008556.458255: Received salt "ADTEST.XXX.XXX.XXusu5" via padata type PA-PW-SALT (3) [47521] 1647008556.458256: Produced preauth for next request: (empty) [47521] 1647008556.458257: AS key determined by preauth: aes256-cts/0DAE [47521] 1647008556.458258: Decrypted AS reply; session key is: aes256-cts/35D9 [47521] 1647008556.458259: FAST negotiation: unavailable kpasswd: KDC reply did not match expectations getting initial ticket FYI, I have tried the same test with a user WITHOUT expired password, and it does not work either, and the log is exactly the same. Indeed, when I log in with ssh with this user, I cannot change the password too: $ passwd Changing password for user u...@adtest.xxx.xx.xx. Current Password: Password change failed. Server message: Old password not accepted. passwd: Authentication token manipulation error Thanks very much.
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure