** Changed in: heimdal (Debian)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1004465
Title:
heimdal and mit kinit doesn't handle expired credentials
Status in heimdal package in Ubuntu:
Confirmed
Status in krb5 package in Ubuntu:
Fix Released
Status in heimdal package in Debian:
Confirmed
Bug description:
Hi.
ubuntu 12.04 i386,amd64
For now kerberos (both - mit and heimdal) kinit doesn't handle expired (or
'must change') passwords. That's a serious regression (lucid is fine) - no
integration (pam) into kerberos environments that use password expiration could
be done. Tested with heimdal kdc (file and ldap db) and win2008r2 kdc on
several machines. This bug stops us from migrating to the next LTS in our
environment. Thinking it should be fixed.
Heimdal KDC logs are in the attachment. What I can see in these logs is that
lucid heimdal kinit doesn't send REQ-ENC-PA-REP patype while precise kinits
send. May this be the reason? If more info is needed please just ask.
How to reproduce:
# apt-get -y install heimdal-kdc
# cat > /etc/krb5.conf
[libdefaults]
default_realm = TEST.LAN
[realms]
TEST.LAN = {
kdc=127.0.0.1
}
# kadmin -l init TEST.LAN
# kadmin -l add test
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:2000-01-01 # Set expiration time to the
past
Attributes []:
Policy [default]:
[email protected]'s Password:
Verify password - [email protected]'s Password:
# apt-get -y install heimdal-clients
# dpkg -l |grep heimdal-clients
ii heimdal-clients 1.6~git20120311.dfsg.1-2 Heimdal
Kerberos - clients
# kinit --version
kinit (Heimdal 1.5.99)
Copyright 1995-2011 Kungliga Tekniska Högskolan
Send bug-reports to [email protected]
# kinit test
[email protected]'s Password:
kinit: krb5_get_init_creds: Password has expired
And no asking for changing password.
# apt-get -y install krb5-user
# dpkg -l |grep krb5-user
ii krb5-user 1.10+dfsg~beta1-2 Basic
programs to authenticate using MIT Kerberos
# kinit test
Password for [email protected]:
kinit: Generic preauthentication failure while getting initial credentials
And no asking for changing password again.
But kpasswd works fine (heimdal & mit):
# kpasswd test
[email protected]'s Password:
Your password will expire at Tue Jan 2 02:59:59 2000
New password for [email protected]:
Verify password - New password for [email protected]:
Success : Password changed
The same time all works fine with ubuntu 10.04 heimdal (1.2) and
freebsd 9.0 heimdal (1.1) (kdc is still from ubuntu 12.04), it does
change password if it's required.
Thanks.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1004465/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
