On Thu, Jan 08, 2015 at 10:39:36AM +0530, Ashish Yadav wrote: > Hi, > > > > What happens if you call > > > > kinit [email protected] > > > It asks for password and current password is working for getting kerberos > ticket and not asking me to reset the password. > > > > > > > > on the Linux command line. Are you asekd you for new password here? If > > not Samba might not return the right error code to indicate that the > > password is expired. > > > I posted this query in samba mailing list also but they told me that if > Windows 7 client is working fine then Samba is working fine. > > > > In this case it would be nice if you can send the > > output of > > > > KRB5_TRACE=/dev/stdout kinit [email protected] > > > > > Here is the output of the above command, > > # KRB5_TRACE=/dev/stdout kinit test > [2507] 1420693228.971649: Getting initial credentials for > [email protected] > [2507] 1420693228.974468: Sending request (210 bytes) to INTRA.EXAMPLE.COM > [2507] 1420693228.976230: Sending initial UDP request to dgram > 172.16.0.170:8880 > [2507] 1420693228.981059: Received answer from dgram 172.16.0.170:8880 > [2507] 1420693228.981167: Response was not from master KDC > [2507] 1420693228.981252: Received error from KDC: -1765328359/Additional > pre-authentication required > [2507] 1420693228.981413: Processing preauth types: 16, 15, 2, 138, 136, > 11, 19 > [2507] 1420693228.981477: Selected etype info: etype rc4-hmac, salt > "INTRA.EXAMPLE.COMtest", params "" > [2507] 1420693228.981532: Selected etype info: etype rc4-hmac, salt > "INTRA.EXAMPLE.COMtest", params "" > Password for [email protected]: > [2507] 1420693231.111979: AS key obtained for encrypted timestamp: > rc4-hmac/3CC1 > [2507] 1420693231.112235: Encrypted timestamp (for 1420693231.112064): > plain 301AA011180F32303135303130383035303033315AA105020301B5C0, encrypted > F92A0E3BEF336E51C24C4CB9E8EB1ACE49ECA2BE32C9ABD207062898FD593268EEA31CF0185BE2B2B05F3A4A47328E9B1149AFA0 > [2507] 1420693231.112272: Preauth module encrypted_timestamp (2) (flags=1) > returned: 0/Success > [2507] 1420693231.112292: Produced preauth for next request: 2 > [2507] 1420693231.112341: Sending request (286 bytes) to INTRA.EXAMPLE.COM > [2507] 1420693231.112611: Sending initial UDP request to dgram > 172.16.0.170:8880 > [2507] 1420693231.116296: Received answer from dgram 172.16.0.170:8880 > [2507] 1420693231.116448: Response was not from master KDC
Thank you for the output. When I run kinit against a Windows DC I get [10020] 1420716572.35107: Received error from KDC: -1765328361/Password has expired which lets the client know that the password is expired and must be renewed which kinit and SSSD does correctly when talking to a Windows server. Since Windows clients do not use only plain Kerberos for authentication they might get the information that the password must be renewed by other means. I will talk to Samba developers to see if Samba can be changed to behave link a Windows DC here and will let you know the result. bye, Sumit > [2507] 1420693231.116573: Processing preauth types: 3 > [2507] 1420693231.116586: Received salt "��" via padata type 3 > [2507] 1420693231.116597: Produced preauth for next request: (empty) > [2507] 1420693231.116616: AS key determined by preauth: rc4-hmac/3CC1 > [2507] 1420693231.116694: Decrypted AS reply; session key is: rc4-hmac/4D55 > [2507] 1420693231.116724: FAST negotiation: available > [2507] 1420693231.116729: Initializing FILE:/tmp/krb5cc_0 with default > princ [email protected] > [2507] 1420693231.117523: Removing [email protected] -> krbtgt/ > [email protected] from FILE:/tmp/krb5cc_0 > [2507] 1420693231.117542: Storing [email protected] -> krbtgt/ > [email protected] in FILE:/tmp/krb5cc_0 > [2507] 1420693231.117710: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/ > [email protected]: fast_avail: yes > [2507] 1420693231.117903: Removing [email protected] -> > krb5_ccache_conf_data/fast_avail/krbtgt\/INTRA.EXAMPLE.COM > \@INTRA.EXAMPLE.COM@X-CACHECONF: from FILE:/tmp/krb5cc_0 > [2507] 1420693231.117920: Storing [email protected] -> > krb5_ccache_conf_data/fast_avail/krbtgt\/INTRA.EXAMPLE.COM > \@INTRA.EXAMPLE.COM@X-CACHECONF: in FILE:/tmp/krb5cc_0 > > > --Regards > Ashishkumar S. Yadav > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
