Am Fri, Mar 11, 2022 at 01:32:50PM -0300 schrieb Mateo Duffour:
> Hi, 
> 
> I've send the network capture attached, it was made with tcpdump in the IdM 
> server to the Samba AD DC server, while trying to log in with ssh with user5. 

Hi,

thanks for the network trace.

Alexander, can you have a look at the Kerberos packets in the network
trace.

It looks like the Samba DC is replying if a ticket for the
'kadmin/changepw' service principal is requested (packet 63) with a
ticket for 'krbtgt' (packet 65). And it looks like this is not expected
by libkrb5.

bye,
Sumit

> 
> Regards, 
> 
> Lic. Mateo Duffour 
> Unidad Informática 
>       2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ |    ] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido. 
> 
> 
> From: "tizo" <tiz...@gmail.com> 
> To: "freeipa-users" <freeipa-users@lists.fedorahosted.org> 
> Cc: "Mateo Duffour" <mduff...@fnr.gub.uy>, "Alexander Bokovoy" 
> <aboko...@redhat.com>, "Sumit Bose" <sb...@redhat.com> 
> Sent: Friday, 11 March, 2022 11:38:50 
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC 
> - User accounts with passwords expired 
> 
> 
> 
> 
> Hi, 
> 
> this is still the same pattern. Would it be possible to get a network 
> trace to better understand how the KDC reply looks like and what might 
> not be as expected by libkrb5? 
> 
> Additionally, can you try to set the password for the user with the 
> expired password with 
> 
> KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST..... 
> 
> and send the output? 
> 
> bye, 
> Sumit 
> 
> 
> 
> 
> 
> Hi there. I work with Mateo. We are sending the network capture in some 
> minutes, but to get ahead I am sending the other test: 
> 
> # KRB5_TRACE=/dev/stdout kpasswd u...@adtest.xxx.xxx.xx 
> [47521] 1647008539.753136: Getting initial credentials for 
> u...@adtest.xxx.xxx.xx 
> [47521] 1647008539.753137: FAST armor ccache: KCM:0:84390 
> [47521] 1647008539.753138: Retrieving 
> host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> 
> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF:
>  from KCM:0:84390 with result: -1765328243/Matching credential not found 
> [47521] 1647008539.753139: Setting initial creds service to kadmin/changepw 
> [47521] 1647008539.753140: FAST armor ccache: KCM:0:84390 
> [47521] 1647008539.753141: Retrieving 
> host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> 
> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF:
>  from KCM:0:84390 with result: -1765328243/Matching credential not found 
> [47521] 1647008539.753143: Sending unauthenticated request 
> [47521] 1647008539.753144: Sending request (179 bytes) to ADTEST.XXX.XXX.XX 
> [47521] 1647008539.753145: Initiating TCP connection to stream [ 
> http://10.2.100.4:88/ | 10.2.100.4:88 ] 
> [47521] 1647008540.776855: Initiating TCP connection to stream [ 
> http://10.2.100.3:88/ | 10.2.100.3:88 ] 
> [47521] 1647008540.776856: Sending TCP request to stream [ 
> http://10.2.100.3:88/ | 10.2.100.3:88 ] 
> [47521] 1647008540.776857: Received answer (278 bytes) from stream [ 
> http://10.2.100.3:88/ | 10.2.100.3:88 ] 
> [47521] 1647008540.776858: Terminating TCP connection to stream [ 
> http://10.2.100.4:88/ | 10.2.100.4:88 ] 
> [47521] 1647008540.776859: Terminating TCP connection to stream [ 
> http://10.2.100.3:88/ | 10.2.100.3:88 ] 
> [47521] 1647008540.776860: Response was from master KDC 
> [47521] 1647008540.776861: Received error from KDC: -1765328359/Additional 
> pre-authentication required 
> [47521] 1647008540.776864: Preauthenticating using KDC method data 
> [47521] 1647008540.776865: Processing preauth types: PA-PK-AS-REQ (16), 
> PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (19) 
> [47521] 1647008540.776866: Selected etype info: etype aes256-cts, salt 
> "ADTEST.XXX.XXX.XXusu5", params "\x00\x00\x10\x00" 
> [47521] 1647008540.776867: PKINIT client has no configured identity; giving 
> up 
> [47521] 1647008540.776868: PKINIT client has no configured identity; giving 
> up 
> [47521] 1647008540.776869: Preauth module pkinit (16) (real) returned: 
> 22/Invalid argument 
> Password for u...@adtest.xxx.xxx.xx: 
> [47521] 1647008555.456745: AS key obtained for encrypted timestamp: 
> aes256-cts/0DAE 
> [47521] 1647008555.456747: Encrypted timestamp (for 1647008555.462202): plain 
> 301AA011180F32303232303331313134323233355AA1050203070D7A, encrypted 
> 588F164716268F95639456AEE7589886245643006D4F7B630289E1E745736D8B9037356B398C63F122292C02AAB12E25883A00C2E266E84C
>  
> [47521] 1647008555.456748: Preauth module encrypted_timestamp (2) (real) 
> returned: 0/Success 
> [47521] 1647008555.456749: Produced preauth for next request: 
> PA-ENC-TIMESTAMP (2) 
> [47521] 1647008555.456750: Sending request (257 bytes) to ADTEST.XXX.XXX.XX 
> [47521] 1647008555.456751: Initiating TCP connection to stream [ 
> http://10.2.100.4:88/ | 10.2.100.4:88 ] 
> [47521] 1647008556.458248: Initiating TCP connection to stream [ 
> http://10.2.100.3:88/ | 10.2.100.3:88 ] 
> [47521] 1647008556.458249: Sending TCP request to stream [ 
> http://10.2.100.3:88/ | 10.2.100.3:88 ] 
> [47521] 1647008556.458250: Received answer (1438 bytes) from stream [ 
> http://10.2.100.3:88/ | 10.2.100.3:88 ] 
> [47521] 1647008556.458251: Terminating TCP connection to stream [ 
> http://10.2.100.4:88/ | 10.2.100.4:88 ] 
> [47521] 1647008556.458252: Terminating TCP connection to stream [ 
> http://10.2.100.3:88/ | 10.2.100.3:88 ] 
> [47521] 1647008556.458253: Response was from master KDC 
> [47521] 1647008556.458254: Processing preauth types: PA-PW-SALT (3) 
> [47521] 1647008556.458255: Received salt "ADTEST.XXX.XXX.XXusu5" via padata 
> type PA-PW-SALT (3) 
> [47521] 1647008556.458256: Produced preauth for next request: (empty) 
> [47521] 1647008556.458257: AS key determined by preauth: aes256-cts/0DAE 
> [47521] 1647008556.458258: Decrypted AS reply; session key is: 
> aes256-cts/35D9 
> [47521] 1647008556.458259: FAST negotiation: unavailable 
> kpasswd: KDC reply did not match expectations getting initial ticket 
> 
> FYI, I have tried the same test with a user WITHOUT expired password, and it 
> does not work either, and the log is exactly the same. Indeed, when I log in 
> with ssh with this user, I cannot change the password too: 
> 
> $ passwd 
> Changing password for user u...@adtest.xxx.xx.xx. 
> Current Password: 
> Password change failed. Server message: Old password not accepted. 
> passwd: Authentication token manipulation error 
> 
> Thanks very much. 
> 

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to