Bug#664596: User seems to missing ability to login via, ssh/console after some days

[Bernhard Hammes]

I have to change my pwd first to update the expiration date after your
fix:

root@tjener:~# kadmin.local -q modpol -maxlife 0secs users
Authenticating as principal root/admin@INTERN with password.
root@tjener:~#  echo getprinc berham |kadmin.local |grep -i passw
Authenticating as principal root/admin@INTERN with password.
Last password change: Sat Mar 24 12:45:16 CET 2012
Password expiration date: Mon Mar 26 13:45:16 CEST 2012
Failed password attempts: 0
root@tjener:~#

pwd change in gosa…

root@tjener:~#  echo getprinc berham |kadmin.local |grep -i passw
Authenticating as principal root/admin@INTERN with password.
Last password change: Sun Mar 25 12:17:08 CEST 2012
Password expiration date: [none]
Failed password attempts: 0


Regards,
Bernhard



signature.asc
Description: OpenPGP digital signature

Re: Bug#664596: User seems to missing ability to login via, ssh/console after some days

[Giorgio Pioda]

It is not a bug,

it is a feature of kerberos, I think.

Regards

Giorgio

On Sun, Mar 25, 2012 at 12:24:33PM +0200, Bernhard Hammes wrote:
 I have to change my pwd first to update the expiration date after your
 fix:
 
 root@tjener:~# kadmin.local -q modpol -maxlife 0secs users
 Authenticating as principal root/admin@INTERN with password.
 root@tjener:~#  echo getprinc berham |kadmin.local |grep -i passw
 Authenticating as principal root/admin@INTERN with password.
 Last password change: Sat Mar 24 12:45:16 CET 2012
 Password expiration date: Mon Mar 26 13:45:16 CEST 2012
 Failed password attempts: 0
 root@tjener:~#
 
 pwd change in gosa…
 
 root@tjener:~#  echo getprinc berham |kadmin.local |grep -i passw
 Authenticating as principal root/admin@INTERN with password.
 Last password change: Sun Mar 25 12:17:08 CEST 2012
 Password expiration date: [none]
 Failed password attempts: 0
 
 
 Regards,
 Bernhard
 



-- 
Sysadmin SPSE-Tenero
Ufficio:   +41 91 735 62 48 
Cellulare: +41 79 629 20 63


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120325114320.ga6...@ticino.com

Re: Bug#664596: User seems to missing ability to login via ssh/console after some days

[Wolfgang Schweer]

On Tue, Mar 20, 2012 at 10:47:40PM +0100, Andreas B. Mundt wrote:
 On Tue, Mar 20, 2012 at 10:00:43PM +0100, Petter Reinholdtsen wrote:
  [Andreas B. Mundt]
 
   Just remove the -maxlife option completely.  Use something like:
  
kadmin.local -q add_policy -minlength 4 -minclasses 2 user
 
  What is the default value when -maxlife is not used?
  --
 
 I use a default policy created by:
 
   kadmin.local -q add_policy -minlength 4 -minclasses 2 default
 

[..]
 
 So the default seems to be:
 
Password expiration date: [none]

Yes, in other words the default value seems to be 0.

So one could set it back to the default by executing

kadmin.local -q modpol -maxlife 0secs users

New user accounts should then have: Password expiration date: [none]


Wolfgang



signature.asc
Description: Digital signature

Re: Bug#664596: User seems to missing ability to login via ssh/console after some days

[Petter Reinholdtsen]

[Wolfgang Schweer]
 Yes, in other words the default value seems to be 0.
 
 So one could set it back to the default by executing
 
 kadmin.local -q modpol -maxlife 0secs users
 
 New user accounts should then have: Password expiration date: [none]

It even affected old users:

root@tjener:~# kadmin.local -q modpol -maxlife 0secs users
Authenticating as principal root/admin@INTERN with password.
root@tjener:~# echo getprinc pere |kadmin.local |grep -i passw
Authenticating as principal root/admin@INTERN with password.
Last password change: Sat Feb 04 13:41:41 CET 2012
Password expiration date: [none]
Failed password attempts: 0
root@tjener:~# 

Great!  Who documents how to fix an existing installation and provide
a script to fix it in debian-edu-config?  We should also fix it for
new installations.  I lack a test bench at the moment and can not test
a fix myself.

Btw, does this mean the first user is not using the users policy?  I
guess it should be identical to other users in this regard.
-- 
Happy hacking
Petter Reinholdtsen


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120324145540.gc16...@login2.uio.no

Bug#664596: User seems to missing ability to login via ssh/console after some days

[Petter Reinholdtsen]

[Petter Reinholdtsen]
 So one could set it back to the default by executing
 
 kadmin.local -q modpol -maxlife 0secs users
 
 New user accounts should then have: Password expiration date: [none]
 
 It even affected old users:

Gah, my mistake.  pere was the first user, which si not affected by
this problem.  An old user did not get its password expiration date
changed to 'none' by using the command above.
-- 
Happy hacking
Petter Reinholdtsen



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120324150258.gf16...@login2.uio.no

Re: Bug#664596: User seems to missing ability to login via ssh/console after some days

[Wolfgang Schweer]

On Sat, Mar 24, 2012 at 04:02:59PM +0100, Petter Reinholdtsen wrote:
 [Petter Reinholdtsen]
  So one could set it back to the default by executing
  
  kadmin.local -q modpol -maxlife 0secs users
  
  New user accounts should then have: Password expiration date: [none]
  
  It even affected old users:
 
 Gah, my mistake.  pere was the first user, which si not affected by
 this problem.  An old user did not get its password expiration date
 changed to 'none' by using the command above.
 
The change will take place as soon as the user changes the password.

Please check this script.

#!/bin/bash
#
# /usr/share/debian-edu-config/tools/password-fix 
#
# Fix password expiring after 2 days; for new users the password will never 
# expire. For existing users this will be the case after they've changed 
# their password. Give old users the chance to change the password, exclude  
# not affected accounts: templates and first user
#
for i in $(getent passwd|grep home0|grep -v newteacher|grep -v newstudent|grep 
-v 1000:1000|cut -d: -f1)
do 
kadmin.local -q modprinc -pwexpire 7000days $i
done
kadmin.local -q modpol -maxlife 0secs users


Wolfgang



signature.asc
Description: Digital signature

Re: Bug#664596: User seems to missing ability to login via ssh/console after some days

[Petter Reinholdtsen]

[Wolfgang Schweer]
 Please check this script.

Seem to work fine on my test server, but I propose a slightly more
efficient grep line and a bit more robust handling of the first user.
Also propose to add more information in the comment to have an idea
four year from now that the script is obsolete. :)

#!/bin/bash 
 
#   
 
# /usr/share/debian-edu-config/tools/password-fix-squeeze-r0
#   
 
# Fix password expiring after 2 days (#664596) incorrectly introdiced
# in Debian Edu Squeeze up to r0; for new users the password will
# never expire. For existing users this will be the case after they've
# changed their password. Give old users the chance to change the
# password, exclude not affected accounts: templates and first user.
#
for i in $(getent passwd | grep home0 | egrep -v 
'newteacher|newstudent|:1000:1000:' | cut -d: -f1) ; do
kadmin.local -q modprinc -pwexpire 7000days $i
done
kadmin.local -q modpol -maxlife 0secs users

I've commited it to svn.
-- 
Happy hacking
Petter Reinholdtsen


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120324205346.gb...@login1.uio.no

Bug#664596: User seems to missing ability to login via ssh/console after some days

[Giorgio Pioda]

On Tue, Mar 20, 2012 at 10:00:43PM +0100, Petter Reinholdtsen wrote:
 [Andreas B. Mundt]
  Hi,
 
 Hi.
 
  Just remove the -maxlife option completely.  Use something like:
  
   kadmin.local -q add_policy -minlength 4 -minclasses 2 user

The default policy I think is 1year, but I'm not sure of it

Regards

Giorgio

 
 What is the default value when -maxlife is not used?
 --
 Happy hacking
 Petter Reinholdtsen
 
 
 
 -- 
 To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: http://lists.debian.org/20120320210043.gi18...@login2.uio.no
 
 

-- 
Sysadmin SPSE-Tenero
Ufficio:   +41 91 735 62 48 
Cellulare: +41 79 629 20 63



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120321061517.ga3...@ticino.com

Bug#664596: User seems to missing ability to login via ssh/console after some days

[Mike Gabriel]

Hi all,

On Mi 21 Mär 2012 07:15:17 CET Giorgio Pioda wrote:


On Tue, Mar 20, 2012 at 10:00:43PM +0100, Petter Reinholdtsen wrote:

[Andreas B. Mundt]
 Hi,

Hi.

 Just remove the -maxlife option completely.  Use something like:

  kadmin.local -q add_policy -minlength 4 -minclasses 2 user


The default policy I think is 1year, but I'm not sure of it


The intention of placing a -maxlife argument into the policy was for  
defining the maximum ticket lifetime so the ticket may survive 24h.


Unfortunately, I mixed up the -maxlife option of add_principal (which  
does exactly the described above) and the -maxlife option of  
add_policy. The former sets the max life time of the ticket, the  
latter the max life time of the password.


Arg Sorry for the inconvenience!!!

Mike






--

DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

pgpOKsKNnuLvR.pgp
Description: Digitale PGP-Unterschrift

Re: Bug#664596: User seems to missing ability to login via ssh/console after some days

[George]

Hi,

I also try to log in to thinclient using ssh from server. I get the question 
about saving the key and then it asks for a password. I log in as the user I 
created when installing skolelinux, and I even tried as another user created 
via GOsa. The only answer I get back from ssh is Permission denied. I tried 
to change password, as suggested down. But it does not work. I havnt changed 
anything when it comes to ssh so I guess I missed something? Anyone having a 
clue? I would really need to login to the terminal to continue tracking down 
some issues.

Regards  /George

--- Den mån 2012-03-19 skrev Mike Gabriel mike.gabr...@das-netzwerkteam.de:

Från: Mike Gabriel mike.gabr...@das-netzwerkteam.de
Ämne: Re: Bug#664596: User seems to missing ability to login via ssh/console 
after some days
Till: debian-edu@lists.debian.org
Datum: måndag 19 mars 2012 23:20

Hi Alf,

On Mo 19 Mär 2012 09:24:51 CET Alf Tonny Bätz wrote:

 package: debian-edu-config
 severity: minor
 version: squeeze
 
 Have come over a problem with that a user cant after some days loging with 
 ssh.
 
 The users password works in gosa, and only way to activate login with
 ssh again, is to change the password, and login with ssh works again
 for some days.
 Are trying to find out more about this, and will give out more info as i find 
 it
 
 regards Alf Tonny Bätz

I can confirm this and suppose this might be related to setting a Kerberos 
policy for user principals. (in gosa-create.sh).

Greets,
Mike


--
DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

Re: Bug#664596: User seems to missing ability to login via ssh/console after some days

[Alf Tonny Bätz]

Did you change det password to the user with the sudo user you createt
under installations?
the user them self cant change the password to make ssh work when this bug
has come.

I had to change it for the user to make ssh work again.

Regards Alf Tonny Bätz

2012/3/20 George joj...@yahoo.se

 Hi,

 I also try to log in to thinclient using ssh from server. I get the
 question about saving the key and then it asks for a password. I log in as
 the user I created when installing skolelinux, and I even tried as another
 user created via GOsa. The only answer I get back from ssh is Permission
 denied. I tried to change password, as suggested down. But it does not
 work. I havnt changed anything when it comes to ssh so I guess I missed
 something? Anyone having a clue? I would really need to login to the
 terminal to continue tracking down some issues.

 Regards  /George

 --- Den *mån 2012-03-19 skrev Mike Gabriel 
 mike.gabr...@das-netzwerkteam.de*:


 Från: Mike Gabriel mike.gabr...@das-netzwerkteam.de
 Ämne: Re: Bug#664596: User seems to missing ability to login via
 ssh/console after some days
 Till: debian-edu@lists.debian.org
 Datum: måndag 19 mars 2012 23:20


 Hi Alf,

 On Mo 19 Mär 2012 09:24:51 CET Alf Tonny Bätz wrote:

  package: debian-edu-config
  severity: minor
  version: squeeze
 
  Have come over a problem with that a user cant after some days loging
 with ssh.
 
  The users password works in gosa, and only way to activate login with
  ssh again, is to change the password, and login with ssh works again
  for some days.
  Are trying to find out more about this, and will give out more info as i
 find it
 
  regards Alf Tonny Bätz

 I can confirm this and suppose this might be related to setting a Kerberos
 policy for user principals. (in gosa-create.sh).

 Greets,
 Mike


 --
 DAS-NETZWERKTEAM
 mike gabriel, dorfstr. 27, 24245 barmissen
 fon: +49 (4302) 281418, fax: +49 (4302) 281419

 GnuPG Key ID 0xB588399B
 mail: 
 mike.gabr...@das-netzwerkteam.dehttp://mc/compose?to=mike.gabr...@das-netzwerkteam.de,
 http://das-netzwerkteam.de

 freeBusy:

 https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

Bug#664596: User seems to missing ability to login via ssh/console after some days

[Petter Reinholdtsen]

[Alf Tonny Bätz]
 Are trying to find out more about this, and will give out more info
 as i find it

Can you try the following while logged in as the problematic user,
before and after the problem occur.

LDAP bind password checking:

  ldapwhoami -Z -W -D $(ldapsearch -x (uid=$(whoami))|awk '/dn:/ { print $2}')

Kerberos password checking:

  kinit

Also, it would be useful if you could run this as root to extract the
LDAP object for the affected user.  Remember to replace 'pere' with
the username in question.

  slapcat | tr \n \t | sed s/\t\t/\n/g | grep uid=pere | tr \t \n

This will provide the password hashes, so please only do this if it is
OK to share the passwords.  Please also provide the password set
originally and the password set later on, with information about when
the password were changed and which method were used.

Last, is there anything interesting in the syslog?  Please run this as
root:

  zgrep gosa /var/log/syslog*
-- 
Happy hacking
Petter Reinholdtsen



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120320184932.gd18...@login2.uio.no

Bug#664596: User seems to missing ability to login via ssh/console after some days

[Petter Reinholdtsen]

I was able to sit down with Alf Tonny and look at this issue, and we
believe we figured out the problem.  The Kerberos passwords are set in
policy to expire after two days (172800 seconds).  To see if this is
the case for your user(s), use this (replace ldapuser with one of your
local users):

  root@tjener:~# echo getprinc ldapuser |kadmin.local |grep -i passw
  Authenticating as principal root/admin@INTERN with password.
  Last password change: Tue Feb 21 19:05:00 CET 2012
  Password expiration date: Thu Feb 23 19:05:00 CET 2012
  Failed password attempts: 0
  root@tjener:~# 

If I understand this correctly, one can fix it locally by running this
as root on tjener:

  echo modify_policy -maxlife never users | kadmin.local

It should change the policy to never expire passwords.  But I am
unsure if this is really working, as the getprinc call then start to
claim the users passwords will expire around 1970.  And the user can
not log in using the password, and setting a new password do not
change the password expiration date.  Setting it to '180days' instead
of 'never' work, thought.

Anyone got any ideas how to properly fix this?
-- 
Happy hacking
Petter Reinholdtsen



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120320193928.ge18...@login2.uio.no

Bug#664596: User seems to missing ability to login via ssh/console after some days

[Petter Reinholdtsen]

[Petter Reinholdtsen]
 Anyone got any ideas how to properly fix this?

I suspect this patch will solve it for first time installations.  We
need to figure out how to fix it for existing installations too.

Index: share/debian-edu-config/tools/kerberos-kdc-init
===
--- share/debian-edu-config/tools/kerberos-kdc-init (revisjon 77105)
+++ share/debian-edu-config/tools/kerberos-kdc-init (arbeidskopi)
@@ -237,8 +237,9 @@
 kadmin.local -q ktadd -k /etc/krb5.keytab.smtp smtp/tjener.intern
 chown Debian-exim:Debian-exim /etc/krb5.keytab.smtp
 
-# Kerberos policy setup
-kadmin.local -q addpol -maxlife \2 days\ -minlength 5 users
+# Kerberos policy setup.  Make sure passwords never expire, as
+# long as LDAP and Samba passwords do not expire.
+kadmin.local -q addpol -maxlife never -minlength 5 users
 kadmin.local -q addpol -minclasses 2 hosts
 }
 

Anyone know why the -maxlife 2 days were there in the first place?
-- 
Happy hacking
Petter Reinholdtsen



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120320200454.gf18...@login2.uio.no

Re: Bug#664596: User seems to missing ability to login via ssh/console after some days

[Giorgio Pioda]

In my experience with kerberos updating the policies
will NOT affect directly the principals. First
you have to change the policies and then reset passwords with cpw.

Cheers

Giorgio


On Tue, Mar 20, 2012 at 08:39:29PM +0100, Petter Reinholdtsen wrote:
 I was able to sit down with Alf Tonny and look at this issue, and we
 believe we figured out the problem.  The Kerberos passwords are set in
 policy to expire after two days (172800 seconds).  To see if this is
 the case for your user(s), use this (replace ldapuser with one of your
 local users):
 
   root@tjener:~# echo getprinc ldapuser |kadmin.local |grep -i passw
   Authenticating as principal root/admin@INTERN with password.
   Last password change: Tue Feb 21 19:05:00 CET 2012
   Password expiration date: Thu Feb 23 19:05:00 CET 2012
   Failed password attempts: 0
   root@tjener:~# 
 
 If I understand this correctly, one can fix it locally by running this
 as root on tjener:
 
   echo modify_policy -maxlife never users | kadmin.local
 
 It should change the policy to never expire passwords.  But I am
 unsure if this is really working, as the getprinc call then start to
 claim the users passwords will expire around 1970.  And the user can
 not log in using the password, and setting a new password do not
 change the password expiration date.  Setting it to '180days' instead
 of 'never' work, thought.
 
 Anyone got any ideas how to properly fix this?
 -- 
 Happy hacking
 Petter Reinholdtsen
 
 
 
 -- 
 To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: http://lists.debian.org/20120320193928.ge18...@login2.uio.no
 
 

-- 
Sysadmin SPSE-Tenero
Ufficio:   +41 91 735 62 48 
Cellulare: +41 79 629 20 63


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120320203427.ga8...@ticino.com

Re: Bug#664596: User seems to missing ability to login via ssh/console after some days

[Andreas B. Mundt]

Hi,

On Tue, Mar 20, 2012 at 09:04:54PM +0100, Petter Reinholdtsen wrote:
 [Petter Reinholdtsen]
  Anyone got any ideas how to properly fix this?

Just remove the -maxlife option completely.  Use something like:

 kadmin.local -q add_policy -minlength 4 -minclasses 2 user

Regards,

Andi


 I suspect this patch will solve it for first time installations.  We
 need to figure out how to fix it for existing installations too.

 Index: share/debian-edu-config/tools/kerberos-kdc-init
 ===
 --- share/debian-edu-config/tools/kerberos-kdc-init (revisjon 77105)
 +++ share/debian-edu-config/tools/kerberos-kdc-init (arbeidskopi)
 @@ -237,8 +237,9 @@
  kadmin.local -q ktadd -k /etc/krb5.keytab.smtp smtp/tjener.intern
  chown Debian-exim:Debian-exim /etc/krb5.keytab.smtp

 -# Kerberos policy setup
 -kadmin.local -q addpol -maxlife \2 days\ -minlength 5 users
 +# Kerberos policy setup.  Make sure passwords never expire, as
 +# long as LDAP and Samba passwords do not expire.
 +kadmin.local -q addpol -maxlife never -minlength 5 users
  kadmin.local -q addpol -minclasses 2 hosts
  }


 Anyone know why the -maxlife 2 days were there in the first place?
 --
 Happy hacking
 Petter Reinholdtsen



 --
 To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: http://lists.debian.org/20120320200454.gf18...@login2.uio.no


--

--

A N D R E A S   B.   M U N D T

GPG key: 4096R/617B586D 2010-03-22 Andreas B. Mundt--andreas.b.mu...@web.de
   Andreas B. Mundt--andi.mu...@web.de




-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120320203517.GB5795@flashgordon

Bug#664596: User seems to missing ability to login via ssh/console after some days

[Petter Reinholdtsen]

[Andreas B. Mundt]
 Hi,

Hi.

 Just remove the -maxlife option completely.  Use something like:
 
  kadmin.local -q add_policy -minlength 4 -minclasses 2 user

What is the default value when -maxlife is not used?
--
Happy hacking
Petter Reinholdtsen



-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120320210043.gi18...@login2.uio.no

Re: Bug#664596: User seems to missing ability to login via ssh/console after some days

[Petter Reinholdtsen]

[George]
 Hi,

Hi.

 I also try to log in to thinclient using ssh from server. I get the
 question about saving the key and then it asks for a password. I log
 in as the user I created when installing skolelinux, and I even tried
 as another user created via GOsa. The only answer I get back from ssh
 is Permission denied. I tried to change password, as suggested
 down. But it does not work. I havnt changed anything when it comes to
 ssh so I guess I missed something? Anyone having a clue? I would
 really need to login to the terminal to continue tracking down some
 issues.

To be able to log into a thin client, you have to set the root password
in the LTSP chroot and reboot the thin client for this change to take
effect.  I do not believe the LDAP users are visible on thin clients.

Try to run

  ltsp-chroot -a i386 passwd

as root to set the root password.
-- 
Happy hacking
Petter Reinholdtsen


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2flpqc7m12b@diskless.uio.no

Bug#664596: User seems to missing ability to login via ssh/console after some days

[Andreas B. Mundt]

On Tue, Mar 20, 2012 at 10:00:43PM +0100, Petter Reinholdtsen wrote:
 [Andreas B. Mundt]

  Just remove the -maxlife option completely.  Use something like:
 
   kadmin.local -q add_policy -minlength 4 -minclasses 2 user

 What is the default value when -maxlife is not used?
 --

I use a default policy created by:

  kadmin.local -q add_policy -minlength 4 -minclasses 2 default

A user principal foo with this policy shows the following:

root@mainserver:~# kadmin.local
Authenticating as principal root/admin@INTERN with password.
kadmin.local:  get_principal foo
Principal: foo@INTERN
Expiration date: [never]
Last password change: Thu Mar 01 20:12:10 CET 2012
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Mar 01 20:12:11 CET 2012 (root/admin@INTERN)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, Version 5
Key: vno 1, ArcFour with HMAC/md5, Version 5
Key: vno 1, Triple DES cbc mode with HMAC/sha1, Version 5
Key: vno 1, DES cbc mode with CRC-32, Version 5
Key: vno 1, DES cbc mode with RSA-MD5, Version 4
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default
kadmin.local:

So the default seems to be:

   Password expiration date: [none]

Regards,

Andi



--

A N D R E A S   B.   M U N D T

GPG key: 4096R/617B586D 2010-03-22 Andreas B. Mundt--andreas.b.mu...@web.de
   Andreas B. Mundt--andi.mu...@web.de





-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120320214740.GA13674@flashgordon

Bug#664596: User seems to missing ability to login via ssh/console after some days]

[Andreas B. Mundt]

Forwarded message, as I forgot to cc the debian-edu list:

On Tue, Mar 20, 2012 at 10:00:43PM +0100, Petter Reinholdtsen wrote:
 [Andreas B. Mundt]

  Just remove the -maxlife option completely.  Use something like:
 
   kadmin.local -q add_policy -minlength 4 -minclasses 2 user

 What is the default value when -maxlife is not used?
 --

I use a default policy created by:

  kadmin.local -q add_policy -minlength 4 -minclasses 2 default

A user principal foo with this policy shows the following:

root@mainserver:~# kadmin.local
Authenticating as principal root/admin@INTERN with password.
kadmin.local:  get_principal foo
Principal: foo@INTERN
Expiration date: [never]
Last password change: Thu Mar 01 20:12:10 CET 2012
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Mar 01 20:12:11 CET 2012 (root/admin@INTERN)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, Version 5
Key: vno 1, ArcFour with HMAC/md5, Version 5
Key: vno 1, Triple DES cbc mode with HMAC/sha1, Version 5
Key: vno 1, DES cbc mode with CRC-32, Version 5
Key: vno 1, DES cbc mode with RSA-MD5, Version 4
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default
kadmin.local:

So the default seems to be:

   Password expiration date: [none]

Regards,

Andi



--

A N D R E A S   B.   M U N D T

GPG key: 4096R/617B586D 2010-03-22 Andreas B. Mundt--andreas.b.mu...@web.de
   Andreas B. Mundt--andi.mu...@web.de




-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120320215612.GB13674@flashgordon

Bug#664596: User seems to missing ability to login via ssh/console after some days

[Alf Tonny Bätz]

package: debian-edu-config
severity: minor
version: squeeze

Have come over a problem with that a user cant after some days loging with ssh.

The users password works in gosa, and only way to activate login with
ssh again, is to change the password, and login with ssh works again
for some days.
Are trying to find out more about this, and will give out more info as i find it

regards Alf Tonny Bätz



--
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAFGhO1EtVTjcK8=4kpH7eKQL=oqfxwv9aezexh5eyzraof7...@mail.gmail.com

Re: Bug#664596: User seems to missing ability to login via ssh/console after some days

[Mike Gabriel]

Hi Alf,

On Mo 19 Mär 2012 09:24:51 CET Alf Tonny Bätz wrote:


package: debian-edu-config
severity: minor
version: squeeze

Have come over a problem with that a user cant after some days  
loging with ssh.


The users password works in gosa, and only way to activate login with
ssh again, is to change the password, and login with ssh works again
for some days.
Are trying to find out more about this, and will give out more info  
as i find it


regards Alf Tonny Bätz


I can confirm this and suppose this might be related to setting a  
Kerberos policy for user principals. (in gosa-create.sh).


Greets,
Mike


--

DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

pgpWSc4jjaPpY.pgp
Description: Digitale PGP-Unterschrift