Bug 1651278
Summary: | IPA admin user password breaking | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Matt.Agresta <Matt.Agresta> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.3 | CC: | fcami, Matt.Agresta, pvoborni, rcritten, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-04-15 13:37:20 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matt.Agresta@kuehne-nagel.com
2018-11-19 15:25:13 UTC
Change the expiration to a date < 2038. (In reply to Rob Crittenden from comment #2) > Change the expiration to a date < 2038. Thanks. I changed the password policy, updated the password and logins are working now. I will monitor over the next couple of days. The password seemed to not be working again today. I reset it and its working now but I am guessing it will break again. Below are the logs. I am not sure if its related but I also see "Clock skew too great" messages in the krb5kdc.log Nov 20 09:05:46 lxipaazan100s.ipa.us.int.kn krb5kdc[23506](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.29.71.151: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS.INT.KN for krbtgt/IPA.US.INT.KN.INT.KN, Additional pre-authentication required Nov 20 09:05:46 lxipaazan100s.ipa.us.int.kn krb5kdc[23506](info): closing down fd 11 Nov 20 09:05:46 lxipaazan100s.ipa.us.int.kn krb5kdc[23506](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.29.71.151: ISSUE: authtime 1542722746, etypes {rep=18 tkt=18 ses=18}, WELLKNOWN/ANONYMOUS.INT.KN for krbtgt/IPA.US.INT.KN.INT.KN Nov 20 09:05:46 lxipaazan100s.ipa.us.int.kn krb5kdc[23506](info): closing down fd 11 Nov 20 09:05:46 lxipaazan100s.ipa.us.int.kn krb5kdc[23507](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.29.71.151: NEEDED_PREAUTH: admin.INT.KN for krbtgt/IPA.US.INT.KN.INT.KN, Additional pre-authentication required Nov 20 09:05:46 lxipaazan100s.ipa.us.int.kn krb5kdc[23507](info): closing down fd 11 Nov 20 09:05:46 lxipaazan100s.ipa.us.int.kn krb5kdc[23507](info): preauth (encrypted_challenge) verify failure: Incorrect password in encrypted challenge Nov 20 09:05:46 lxipaazan100s.ipa.us.int.kn krb5kdc[23507](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.29.71.151: PREAUTH_FAILED: admin.INT.KN for krbtgt/IPA.US.INT.KN.INT.KN, Incorrect password in encrypted challenge Nov 20 09:05:46 lxipaazan100s.ipa.us.int.kn krb5kdc[23507](info): closing down fd 11 Define "not working". Correct time is critical for Kerberos to work properly. WEB UI login failed with incorrect password error, kinit admin also failed with incorrect credentials. ntpq is showing the following for offset on both servers, are these offsets too large? [root@lxipaazan100s log]# ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== *us.int.kn 209.51.161.238 2 u 77 1024 377 0.328 9.619 2.296 +denotsl1465.int 192.53.103.104 2 u 962 1024 377 109.724 4.270 1.908 +dns-ap.int.kn 193.225.118.163 3 u 1005 1024 377 223.230 -20.122 8.157 [root@lxipaazan200s ~]# ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== *nilxaza0110.us. 209.51.161.238 2 u 46 64 377 0.977 6.698 0.079 +denotsl1465.int 192.53.103.104 2 u 54 64 377 102.562 0.469 1.153 +dns-ap.int.kn 193.225.118.163 3 u 47 64 377 218.082 -29.055 4.347 I have fixed my clock skew errors, but this issue persist. It seems to only happen with the admin account. Dec 05 11:39:29 lxipaazan100s.ipa.us.int.kn krb5kdc[32591](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.29.71.151: NEEDED_PREAUTH: admin.INT.KN for krbtgt/IPA.US.INT.KN.INT.KN, Additional pre-authentication required Dec 05 11:39:29 lxipaazan100s.ipa.us.int.kn krb5kdc[32591](info): closing down fd 10 Dec 05 11:39:31 lxipaazan100s.ipa.us.int.kn krb5kdc[32591](info): closing down fd 10 Dec 05 11:39:31 lxipaazan100s.ipa.us.int.kn krb5kdc[32590](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.29.66.153: ISSUE: authtime 1544027971, etypes {rep=18 tkt=18 ses=18}, host/lxadpazdn200s.us.int.kn.INT.KN for krbtgt/IPA.US.INT.KN.INT.KN Dec 05 11:39:31 lxipaazan100s.ipa.us.int.kn krb5kdc[32590](info): closing down fd 10 Dec 05 11:39:32 lxipaazan100s.ipa.us.int.kn krb5kdc[32590](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Dec 05 11:39:32 lxipaazan100s.ipa.us.int.kn krb5kdc[32590](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.29.71.151: PREAUTH_FAILED: admin.INT.KN for krbtgt/IPA.US.INT.KN.INT.KN, Preauthentication failed Is this still occurring? There should be no reason why only a single account would be affected by something like this. Re-reading this you stated that the password expiration date was 2073-08-09. The date is stored as a 32-bit value so needs to be less than 2038. We haven't heard from you in a while therefore I am closing this bug. Please feel free to reopen with the above required data if needed. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |