Bug#664596: User seems to missing ability to login via, ssh/console after some days
I have to change my pwd first to update the expiration date after your fix: root@tjener:~# kadmin.local -q modpol -maxlife 0secs users Authenticating as principal root/admin@INTERN with password. root@tjener:~# echo getprinc berham |kadmin.local |grep -i passw Authenticating as principal root/admin@INTERN with password. Last password change: Sat Mar 24 12:45:16 CET 2012 Password expiration date: Mon Mar 26 13:45:16 CEST 2012 Failed password attempts: 0 root@tjener:~# pwd change in gosa… root@tjener:~# echo getprinc berham |kadmin.local |grep -i passw Authenticating as principal root/admin@INTERN with password. Last password change: Sun Mar 25 12:17:08 CEST 2012 Password expiration date: [none] Failed password attempts: 0 Regards, Bernhard signature.asc Description: OpenPGP digital signature
Re: Bug#664596: User seems to missing ability to login via, ssh/console after some days
It is not a bug, it is a feature of kerberos, I think. Regards Giorgio On Sun, Mar 25, 2012 at 12:24:33PM +0200, Bernhard Hammes wrote: I have to change my pwd first to update the expiration date after your fix: root@tjener:~# kadmin.local -q modpol -maxlife 0secs users Authenticating as principal root/admin@INTERN with password. root@tjener:~# echo getprinc berham |kadmin.local |grep -i passw Authenticating as principal root/admin@INTERN with password. Last password change: Sat Mar 24 12:45:16 CET 2012 Password expiration date: Mon Mar 26 13:45:16 CEST 2012 Failed password attempts: 0 root@tjener:~# pwd change in gosa… root@tjener:~# echo getprinc berham |kadmin.local |grep -i passw Authenticating as principal root/admin@INTERN with password. Last password change: Sun Mar 25 12:17:08 CEST 2012 Password expiration date: [none] Failed password attempts: 0 Regards, Bernhard -- Sysadmin SPSE-Tenero Ufficio: +41 91 735 62 48 Cellulare: +41 79 629 20 63 -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120325114320.ga6...@ticino.com
Re: Bug#664596: User seems to missing ability to login via ssh/console after some days
On Tue, Mar 20, 2012 at 10:47:40PM +0100, Andreas B. Mundt wrote: On Tue, Mar 20, 2012 at 10:00:43PM +0100, Petter Reinholdtsen wrote: [Andreas B. Mundt] Just remove the -maxlife option completely. Use something like: kadmin.local -q add_policy -minlength 4 -minclasses 2 user What is the default value when -maxlife is not used? -- I use a default policy created by: kadmin.local -q add_policy -minlength 4 -minclasses 2 default [..] So the default seems to be: Password expiration date: [none] Yes, in other words the default value seems to be 0. So one could set it back to the default by executing kadmin.local -q modpol -maxlife 0secs users New user accounts should then have: Password expiration date: [none] Wolfgang signature.asc Description: Digital signature
Re: Bug#664596: User seems to missing ability to login via ssh/console after some days
[Wolfgang Schweer] Yes, in other words the default value seems to be 0. So one could set it back to the default by executing kadmin.local -q modpol -maxlife 0secs users New user accounts should then have: Password expiration date: [none] It even affected old users: root@tjener:~# kadmin.local -q modpol -maxlife 0secs users Authenticating as principal root/admin@INTERN with password. root@tjener:~# echo getprinc pere |kadmin.local |grep -i passw Authenticating as principal root/admin@INTERN with password. Last password change: Sat Feb 04 13:41:41 CET 2012 Password expiration date: [none] Failed password attempts: 0 root@tjener:~# Great! Who documents how to fix an existing installation and provide a script to fix it in debian-edu-config? We should also fix it for new installations. I lack a test bench at the moment and can not test a fix myself. Btw, does this mean the first user is not using the users policy? I guess it should be identical to other users in this regard. -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120324145540.gc16...@login2.uio.no
Bug#664596: User seems to missing ability to login via ssh/console after some days
[Petter Reinholdtsen] So one could set it back to the default by executing kadmin.local -q modpol -maxlife 0secs users New user accounts should then have: Password expiration date: [none] It even affected old users: Gah, my mistake. pere was the first user, which si not affected by this problem. An old user did not get its password expiration date changed to 'none' by using the command above. -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120324150258.gf16...@login2.uio.no
Re: Bug#664596: User seems to missing ability to login via ssh/console after some days
On Sat, Mar 24, 2012 at 04:02:59PM +0100, Petter Reinholdtsen wrote: [Petter Reinholdtsen] So one could set it back to the default by executing kadmin.local -q modpol -maxlife 0secs users New user accounts should then have: Password expiration date: [none] It even affected old users: Gah, my mistake. pere was the first user, which si not affected by this problem. An old user did not get its password expiration date changed to 'none' by using the command above. The change will take place as soon as the user changes the password. Please check this script. #!/bin/bash # # /usr/share/debian-edu-config/tools/password-fix # # Fix password expiring after 2 days; for new users the password will never # expire. For existing users this will be the case after they've changed # their password. Give old users the chance to change the password, exclude # not affected accounts: templates and first user # for i in $(getent passwd|grep home0|grep -v newteacher|grep -v newstudent|grep -v 1000:1000|cut -d: -f1) do kadmin.local -q modprinc -pwexpire 7000days $i done kadmin.local -q modpol -maxlife 0secs users Wolfgang signature.asc Description: Digital signature
Re: Bug#664596: User seems to missing ability to login via ssh/console after some days
[Wolfgang Schweer] Please check this script. Seem to work fine on my test server, but I propose a slightly more efficient grep line and a bit more robust handling of the first user. Also propose to add more information in the comment to have an idea four year from now that the script is obsolete. :) #!/bin/bash # # /usr/share/debian-edu-config/tools/password-fix-squeeze-r0 # # Fix password expiring after 2 days (#664596) incorrectly introdiced # in Debian Edu Squeeze up to r0; for new users the password will # never expire. For existing users this will be the case after they've # changed their password. Give old users the chance to change the # password, exclude not affected accounts: templates and first user. # for i in $(getent passwd | grep home0 | egrep -v 'newteacher|newstudent|:1000:1000:' | cut -d: -f1) ; do kadmin.local -q modprinc -pwexpire 7000days $i done kadmin.local -q modpol -maxlife 0secs users I've commited it to svn. -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120324205346.gb...@login1.uio.no
Bug#664596: User seems to missing ability to login via ssh/console after some days
On Tue, Mar 20, 2012 at 10:00:43PM +0100, Petter Reinholdtsen wrote: [Andreas B. Mundt] Hi, Hi. Just remove the -maxlife option completely. Use something like: kadmin.local -q add_policy -minlength 4 -minclasses 2 user The default policy I think is 1year, but I'm not sure of it Regards Giorgio What is the default value when -maxlife is not used? -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120320210043.gi18...@login2.uio.no -- Sysadmin SPSE-Tenero Ufficio: +41 91 735 62 48 Cellulare: +41 79 629 20 63 -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120321061517.ga3...@ticino.com
Bug#664596: User seems to missing ability to login via ssh/console after some days
Hi all, On Mi 21 Mär 2012 07:15:17 CET Giorgio Pioda wrote: On Tue, Mar 20, 2012 at 10:00:43PM +0100, Petter Reinholdtsen wrote: [Andreas B. Mundt] Hi, Hi. Just remove the -maxlife option completely. Use something like: kadmin.local -q add_policy -minlength 4 -minclasses 2 user The default policy I think is 1year, but I'm not sure of it The intention of placing a -maxlife argument into the policy was for defining the maximum ticket lifetime so the ticket may survive 24h. Unfortunately, I mixed up the -maxlife option of add_principal (which does exactly the described above) and the -maxlife option of add_policy. The former sets the max life time of the ticket, the latter the max life time of the password. Arg Sorry for the inconvenience!!! Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0xB588399B mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpOKsKNnuLvR.pgp Description: Digitale PGP-Unterschrift
Re: Bug#664596: User seems to missing ability to login via ssh/console after some days
Hi, I also try to log in to thinclient using ssh from server. I get the question about saving the key and then it asks for a password. I log in as the user I created when installing skolelinux, and I even tried as another user created via GOsa. The only answer I get back from ssh is Permission denied. I tried to change password, as suggested down. But it does not work. I havnt changed anything when it comes to ssh so I guess I missed something? Anyone having a clue? I would really need to login to the terminal to continue tracking down some issues. Regards /George --- Den mån 2012-03-19 skrev Mike Gabriel mike.gabr...@das-netzwerkteam.de: Från: Mike Gabriel mike.gabr...@das-netzwerkteam.de Ämne: Re: Bug#664596: User seems to missing ability to login via ssh/console after some days Till: debian-edu@lists.debian.org Datum: måndag 19 mars 2012 23:20 Hi Alf, On Mo 19 Mär 2012 09:24:51 CET Alf Tonny Bätz wrote: package: debian-edu-config severity: minor version: squeeze Have come over a problem with that a user cant after some days loging with ssh. The users password works in gosa, and only way to activate login with ssh again, is to change the password, and login with ssh works again for some days. Are trying to find out more about this, and will give out more info as i find it regards Alf Tonny Bätz I can confirm this and suppose this might be related to setting a Kerberos policy for user principals. (in gosa-create.sh). Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0xB588399B mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Re: Bug#664596: User seems to missing ability to login via ssh/console after some days
Did you change det password to the user with the sudo user you createt under installations? the user them self cant change the password to make ssh work when this bug has come. I had to change it for the user to make ssh work again. Regards Alf Tonny Bätz 2012/3/20 George joj...@yahoo.se Hi, I also try to log in to thinclient using ssh from server. I get the question about saving the key and then it asks for a password. I log in as the user I created when installing skolelinux, and I even tried as another user created via GOsa. The only answer I get back from ssh is Permission denied. I tried to change password, as suggested down. But it does not work. I havnt changed anything when it comes to ssh so I guess I missed something? Anyone having a clue? I would really need to login to the terminal to continue tracking down some issues. Regards /George --- Den *mån 2012-03-19 skrev Mike Gabriel mike.gabr...@das-netzwerkteam.de*: Från: Mike Gabriel mike.gabr...@das-netzwerkteam.de Ämne: Re: Bug#664596: User seems to missing ability to login via ssh/console after some days Till: debian-edu@lists.debian.org Datum: måndag 19 mars 2012 23:20 Hi Alf, On Mo 19 Mär 2012 09:24:51 CET Alf Tonny Bätz wrote: package: debian-edu-config severity: minor version: squeeze Have come over a problem with that a user cant after some days loging with ssh. The users password works in gosa, and only way to activate login with ssh again, is to change the password, and login with ssh works again for some days. Are trying to find out more about this, and will give out more info as i find it regards Alf Tonny Bätz I can confirm this and suppose this might be related to setting a Kerberos policy for user principals. (in gosa-create.sh). Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0xB588399B mail: mike.gabr...@das-netzwerkteam.dehttp://mc/compose?to=mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Bug#664596: User seems to missing ability to login via ssh/console after some days
[Alf Tonny Bätz] Are trying to find out more about this, and will give out more info as i find it Can you try the following while logged in as the problematic user, before and after the problem occur. LDAP bind password checking: ldapwhoami -Z -W -D $(ldapsearch -x (uid=$(whoami))|awk '/dn:/ { print $2}') Kerberos password checking: kinit Also, it would be useful if you could run this as root to extract the LDAP object for the affected user. Remember to replace 'pere' with the username in question. slapcat | tr \n \t | sed s/\t\t/\n/g | grep uid=pere | tr \t \n This will provide the password hashes, so please only do this if it is OK to share the passwords. Please also provide the password set originally and the password set later on, with information about when the password were changed and which method were used. Last, is there anything interesting in the syslog? Please run this as root: zgrep gosa /var/log/syslog* -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120320184932.gd18...@login2.uio.no
Bug#664596: User seems to missing ability to login via ssh/console after some days
I was able to sit down with Alf Tonny and look at this issue, and we believe we figured out the problem. The Kerberos passwords are set in policy to expire after two days (172800 seconds). To see if this is the case for your user(s), use this (replace ldapuser with one of your local users): root@tjener:~# echo getprinc ldapuser |kadmin.local |grep -i passw Authenticating as principal root/admin@INTERN with password. Last password change: Tue Feb 21 19:05:00 CET 2012 Password expiration date: Thu Feb 23 19:05:00 CET 2012 Failed password attempts: 0 root@tjener:~# If I understand this correctly, one can fix it locally by running this as root on tjener: echo modify_policy -maxlife never users | kadmin.local It should change the policy to never expire passwords. But I am unsure if this is really working, as the getprinc call then start to claim the users passwords will expire around 1970. And the user can not log in using the password, and setting a new password do not change the password expiration date. Setting it to '180days' instead of 'never' work, thought. Anyone got any ideas how to properly fix this? -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120320193928.ge18...@login2.uio.no
Bug#664596: User seems to missing ability to login via ssh/console after some days
[Petter Reinholdtsen] Anyone got any ideas how to properly fix this? I suspect this patch will solve it for first time installations. We need to figure out how to fix it for existing installations too. Index: share/debian-edu-config/tools/kerberos-kdc-init === --- share/debian-edu-config/tools/kerberos-kdc-init (revisjon 77105) +++ share/debian-edu-config/tools/kerberos-kdc-init (arbeidskopi) @@ -237,8 +237,9 @@ kadmin.local -q ktadd -k /etc/krb5.keytab.smtp smtp/tjener.intern chown Debian-exim:Debian-exim /etc/krb5.keytab.smtp -# Kerberos policy setup -kadmin.local -q addpol -maxlife \2 days\ -minlength 5 users +# Kerberos policy setup. Make sure passwords never expire, as +# long as LDAP and Samba passwords do not expire. +kadmin.local -q addpol -maxlife never -minlength 5 users kadmin.local -q addpol -minclasses 2 hosts } Anyone know why the -maxlife 2 days were there in the first place? -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120320200454.gf18...@login2.uio.no
Re: Bug#664596: User seems to missing ability to login via ssh/console after some days
In my experience with kerberos updating the policies will NOT affect directly the principals. First you have to change the policies and then reset passwords with cpw. Cheers Giorgio On Tue, Mar 20, 2012 at 08:39:29PM +0100, Petter Reinholdtsen wrote: I was able to sit down with Alf Tonny and look at this issue, and we believe we figured out the problem. The Kerberos passwords are set in policy to expire after two days (172800 seconds). To see if this is the case for your user(s), use this (replace ldapuser with one of your local users): root@tjener:~# echo getprinc ldapuser |kadmin.local |grep -i passw Authenticating as principal root/admin@INTERN with password. Last password change: Tue Feb 21 19:05:00 CET 2012 Password expiration date: Thu Feb 23 19:05:00 CET 2012 Failed password attempts: 0 root@tjener:~# If I understand this correctly, one can fix it locally by running this as root on tjener: echo modify_policy -maxlife never users | kadmin.local It should change the policy to never expire passwords. But I am unsure if this is really working, as the getprinc call then start to claim the users passwords will expire around 1970. And the user can not log in using the password, and setting a new password do not change the password expiration date. Setting it to '180days' instead of 'never' work, thought. Anyone got any ideas how to properly fix this? -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120320193928.ge18...@login2.uio.no -- Sysadmin SPSE-Tenero Ufficio: +41 91 735 62 48 Cellulare: +41 79 629 20 63 -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120320203427.ga8...@ticino.com
Re: Bug#664596: User seems to missing ability to login via ssh/console after some days
Hi, On Tue, Mar 20, 2012 at 09:04:54PM +0100, Petter Reinholdtsen wrote: [Petter Reinholdtsen] Anyone got any ideas how to properly fix this? Just remove the -maxlife option completely. Use something like: kadmin.local -q add_policy -minlength 4 -minclasses 2 user Regards, Andi I suspect this patch will solve it for first time installations. We need to figure out how to fix it for existing installations too. Index: share/debian-edu-config/tools/kerberos-kdc-init === --- share/debian-edu-config/tools/kerberos-kdc-init (revisjon 77105) +++ share/debian-edu-config/tools/kerberos-kdc-init (arbeidskopi) @@ -237,8 +237,9 @@ kadmin.local -q ktadd -k /etc/krb5.keytab.smtp smtp/tjener.intern chown Debian-exim:Debian-exim /etc/krb5.keytab.smtp -# Kerberos policy setup -kadmin.local -q addpol -maxlife \2 days\ -minlength 5 users +# Kerberos policy setup. Make sure passwords never expire, as +# long as LDAP and Samba passwords do not expire. +kadmin.local -q addpol -maxlife never -minlength 5 users kadmin.local -q addpol -minclasses 2 hosts } Anyone know why the -maxlife 2 days were there in the first place? -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120320200454.gf18...@login2.uio.no -- -- A N D R E A S B. M U N D T GPG key: 4096R/617B586D 2010-03-22 Andreas B. Mundt--andreas.b.mu...@web.de Andreas B. Mundt--andi.mu...@web.de -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120320203517.GB5795@flashgordon
Bug#664596: User seems to missing ability to login via ssh/console after some days
[Andreas B. Mundt] Hi, Hi. Just remove the -maxlife option completely. Use something like: kadmin.local -q add_policy -minlength 4 -minclasses 2 user What is the default value when -maxlife is not used? -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120320210043.gi18...@login2.uio.no
Re: Bug#664596: User seems to missing ability to login via ssh/console after some days
[George] Hi, Hi. I also try to log in to thinclient using ssh from server. I get the question about saving the key and then it asks for a password. I log in as the user I created when installing skolelinux, and I even tried as another user created via GOsa. The only answer I get back from ssh is Permission denied. I tried to change password, as suggested down. But it does not work. I havnt changed anything when it comes to ssh so I guess I missed something? Anyone having a clue? I would really need to login to the terminal to continue tracking down some issues. To be able to log into a thin client, you have to set the root password in the LTSP chroot and reboot the thin client for this change to take effect. I do not believe the LDAP users are visible on thin clients. Try to run ltsp-chroot -a i386 passwd as root to set the root password. -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2flpqc7m12b@diskless.uio.no
Bug#664596: User seems to missing ability to login via ssh/console after some days
On Tue, Mar 20, 2012 at 10:00:43PM +0100, Petter Reinholdtsen wrote: [Andreas B. Mundt] Just remove the -maxlife option completely. Use something like: kadmin.local -q add_policy -minlength 4 -minclasses 2 user What is the default value when -maxlife is not used? -- I use a default policy created by: kadmin.local -q add_policy -minlength 4 -minclasses 2 default A user principal foo with this policy shows the following: root@mainserver:~# kadmin.local Authenticating as principal root/admin@INTERN with password. kadmin.local: get_principal foo Principal: foo@INTERN Expiration date: [never] Last password change: Thu Mar 01 20:12:10 CET 2012 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Thu Mar 01 20:12:11 CET 2012 (root/admin@INTERN) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 8 Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, Version 5 Key: vno 1, ArcFour with HMAC/md5, Version 5 Key: vno 1, Triple DES cbc mode with HMAC/sha1, Version 5 Key: vno 1, DES cbc mode with CRC-32, Version 5 Key: vno 1, DES cbc mode with RSA-MD5, Version 4 Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: default kadmin.local: So the default seems to be: Password expiration date: [none] Regards, Andi -- A N D R E A S B. M U N D T GPG key: 4096R/617B586D 2010-03-22 Andreas B. Mundt--andreas.b.mu...@web.de Andreas B. Mundt--andi.mu...@web.de -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120320214740.GA13674@flashgordon
Bug#664596: User seems to missing ability to login via ssh/console after some days]
Forwarded message, as I forgot to cc the debian-edu list: On Tue, Mar 20, 2012 at 10:00:43PM +0100, Petter Reinholdtsen wrote: [Andreas B. Mundt] Just remove the -maxlife option completely. Use something like: kadmin.local -q add_policy -minlength 4 -minclasses 2 user What is the default value when -maxlife is not used? -- I use a default policy created by: kadmin.local -q add_policy -minlength 4 -minclasses 2 default A user principal foo with this policy shows the following: root@mainserver:~# kadmin.local Authenticating as principal root/admin@INTERN with password. kadmin.local: get_principal foo Principal: foo@INTERN Expiration date: [never] Last password change: Thu Mar 01 20:12:10 CET 2012 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Thu Mar 01 20:12:11 CET 2012 (root/admin@INTERN) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 8 Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, Version 5 Key: vno 1, ArcFour with HMAC/md5, Version 5 Key: vno 1, Triple DES cbc mode with HMAC/sha1, Version 5 Key: vno 1, DES cbc mode with CRC-32, Version 5 Key: vno 1, DES cbc mode with RSA-MD5, Version 4 Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: default kadmin.local: So the default seems to be: Password expiration date: [none] Regards, Andi -- A N D R E A S B. M U N D T GPG key: 4096R/617B586D 2010-03-22 Andreas B. Mundt--andreas.b.mu...@web.de Andreas B. Mundt--andi.mu...@web.de -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120320215612.GB13674@flashgordon
Bug#664596: User seems to missing ability to login via ssh/console after some days
package: debian-edu-config severity: minor version: squeeze Have come over a problem with that a user cant after some days loging with ssh. The users password works in gosa, and only way to activate login with ssh again, is to change the password, and login with ssh works again for some days. Are trying to find out more about this, and will give out more info as i find it regards Alf Tonny Bätz -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAFGhO1EtVTjcK8=4kpH7eKQL=oqfxwv9aezexh5eyzraof7...@mail.gmail.com
Re: Bug#664596: User seems to missing ability to login via ssh/console after some days
Hi Alf, On Mo 19 Mär 2012 09:24:51 CET Alf Tonny Bätz wrote: package: debian-edu-config severity: minor version: squeeze Have come over a problem with that a user cant after some days loging with ssh. The users password works in gosa, and only way to activate login with ssh again, is to change the password, and login with ssh works again for some days. Are trying to find out more about this, and will give out more info as i find it regards Alf Tonny Bätz I can confirm this and suppose this might be related to setting a Kerberos policy for user principals. (in gosa-create.sh). Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0xB588399B mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpWSc4jjaPpY.pgp Description: Digitale PGP-Unterschrift