Hi, We installed Samba AD DC from this repo [ https://samba.tranquil.it/redhat8/samba-4.14.10/ | https://samba.tranquil.it/redhat8/samba-4.14.10/ ] Its running over Roky Linux and it's on a trust relationship with IdM.
Regards, Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Alexander Bokovoy" <aboko...@redhat.com> To: "Mateo Duffour" <mduff...@fnr.gub.uy> Cc: "Sumit Bose" <sb...@redhat.com>, "freeipa-users" <freeipa-users@lists.fedorahosted.org>, "tizo" <tiz...@gmail.com> Sent: Friday, 11 March, 2022 14:07:58 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired On pe, 11 maalis 2022, Mateo Duffour wrote: Hi, I've send the network capture attached, it was made with tcpdump in the IdM server to the Samba AD DC server, while trying to log in with ssh with user5. Hi, can you give more details about this Samba AD DC installation? What Samba version is that? How was it built? BQ_BEGIN Regards, Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "tizo" <tiz...@gmail.com> To: "freeipa-users" <freeipa-users@lists.fedorahosted.org> Cc: "Mateo Duffour" <mduff...@fnr.gub.uy>, "Alexander Bokovoy" <aboko...@redhat.com>, "Sumit Bose" <sb...@redhat.com> Sent: Friday, 11 March, 2022 11:38:50 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Hi, this is still the same pattern. Would it be possible to get a network trace to better understand how the KDC reply looks like and what might not be as expected by libkrb5? Additionally, can you try to set the password for the user with the expired password with KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST..... and send the output? bye, Sumit Hi there. I work with Mateo. We are sending the network capture in some minutes, but to get ahead I am sending the other test: # KRB5_TRACE=/dev/stdout kpasswd u...@adtest.xxx.xxx.xx [47521] 1647008539.753136: Getting initial credentials for u...@adtest.xxx.xxx.xx [47521] 1647008539.753137: FAST armor ccache: KCM:0:84390 [47521] 1647008539.753138: Retrieving host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF: from KCM:0:84390 with result: -1765328243/Matching credential not found [47521] 1647008539.753139: Setting initial creds service to kadmin/changepw [47521] 1647008539.753140: FAST armor ccache: KCM:0:84390 [47521] 1647008539.753141: Retrieving host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF: from KCM:0:84390 with result: -1765328243/Matching credential not found [47521] 1647008539.753143: Sending unauthenticated request [47521] 1647008539.753144: Sending request (179 bytes) to ADTEST.XXX.XXX.XX [47521] 1647008539.753145: Initiating TCP connection to stream [ http://10.2.100.4:88/ | 10.2.100.4:88 ] [47521] 1647008540.776855: Initiating TCP connection to stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008540.776856: Sending TCP request to stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008540.776857: Received answer (278 bytes) from stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008540.776858: Terminating TCP connection to stream [ http://10.2.100.4:88/ | 10.2.100.4:88 ] [47521] 1647008540.776859: Terminating TCP connection to stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008540.776860: Response was from master KDC [47521] 1647008540.776861: Received error from KDC: -1765328359/Additional pre-authentication required [47521] 1647008540.776864: Preauthenticating using KDC method data [47521] 1647008540.776865: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (19) [47521] 1647008540.776866: Selected etype info: etype aes256-cts, salt "ADTEST.XXX.XXX.XXusu5", params "\x00\x00\x10\x00" [47521] 1647008540.776867: PKINIT client has no configured identity; giving up [47521] 1647008540.776868: PKINIT client has no configured identity; giving up [47521] 1647008540.776869: Preauth module pkinit (16) (real) returned: 22/Invalid argument Password for u...@adtest.xxx.xxx.xx: [47521] 1647008555.456745: AS key obtained for encrypted timestamp: aes256-cts/0DAE [47521] 1647008555.456747: Encrypted timestamp (for 1647008555.462202): plain 301AA011180F32303232303331313134323233355AA1050203070D7A, encrypted 588F164716268F95639456AEE7589886245643006D4F7B630289E1E745736D8B9037356B398C63F122292C02AAB12E25883A00C2E266E84C [47521] 1647008555.456748: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [47521] 1647008555.456749: Produced preauth for next request: PA-ENC-TIMESTAMP (2) [47521] 1647008555.456750: Sending request (257 bytes) to ADTEST.XXX.XXX.XX [47521] 1647008555.456751: Initiating TCP connection to stream [ http://10.2.100.4:88/ | 10.2.100.4:88 ] [47521] 1647008556.458248: Initiating TCP connection to stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008556.458249: Sending TCP request to stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008556.458250: Received answer (1438 bytes) from stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008556.458251: Terminating TCP connection to stream [ http://10.2.100.4:88/ | 10.2.100.4:88 ] [47521] 1647008556.458252: Terminating TCP connection to stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008556.458253: Response was from master KDC [47521] 1647008556.458254: Processing preauth types: PA-PW-SALT (3) [47521] 1647008556.458255: Received salt "ADTEST.XXX.XXX.XXusu5" via padata type PA-PW-SALT (3) [47521] 1647008556.458256: Produced preauth for next request: (empty) [47521] 1647008556.458257: AS key determined by preauth: aes256-cts/0DAE [47521] 1647008556.458258: Decrypted AS reply; session key is: aes256-cts/35D9 [47521] 1647008556.458259: FAST negotiation: unavailable kpasswd: KDC reply did not match expectations getting initial ticket FYI, I have tried the same test with a user WITHOUT expired password, and it does not work either, and the log is exactly the same. Indeed, when I log in with ssh with this user, I cannot change the password too: $ passwd Changing password for user u...@adtest.xxx.xx.xx. Current Password: Password change failed. Server message: Old password not accepted. passwd: Authentication token manipulation error Thanks very much. BQ_END -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure