Bug 797333
| Summary: | krbpasswordexpiration field in LDAP can not have value >= 20380119031408Z | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Dmitri Pal <dpal> |
| Component: | ipa | Assignee: | Martin Kosek <mkosek> |
| Status: | CLOSED DEFERRED | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | dpal, jgalipea, mkosek, narebeestjes, rmainz |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 796641 | Environment: | |
| Last Closed: | 2015-01-21 15:07:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 796641 | ||
| Bug Blocks: | |||
|
Description
Dmitri Pal
2012-02-25 00:27:28 UTC
Hello Joaquin, I moved the bug here to the appropriate component. Please comment on this bug rather than on the original one. So it is not clear what is the sequence of operations. Can you please be more specific? You install an IPA server, added user, did kinit and got the error? If it is different please describe. Also can you please attach kerberos and IPA logs so that we can troubleshoot the issue. Thank you, Dmitri Hi Dmitri,
Additional information: The error seems specific to the "admin" user!
Steps to reproduce:
- Installed latest IPA on Fedora 16 (see packages above)
- modified the expiration date for the "admin user":
change-admin-after.ldif:
------------------------
dn: uid=admin,cn=users,cn=accounts,dc=my,dc=domain
changetype: modify
replace: krbPasswordExpiration
krbPasswordExpiration: 20980119031407Z
# ldapmodify -x -D "cn=Directory Manager" -W -v -f change-admin-after.ldif
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
replace krbPasswordExpiration:
20980119031407Z
modifying entry "uid=admin,cn=users,cn=accounts,dc=my,dc=domain"
modify complete
- look at the /var/log/krb5kdc.log while doing "kinit admin" in another screen
[root@ipa02 ~]# kinit admin
Password for admin:
==>
Mar 02 13:43:27 ipa02.office.my.domain krb5kdc[7970](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: CLIENT KEY EXPIRED: admin for krbtgt/MY.DOMAIN, Password has expired
Mar 02 13:43:27 ipa02.office.my.domain krb5kdc[7970](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: NEEDED_PREAUTH: admin for kadmin/changepw, Additional pre-authentication required
==> after typing password:
kinit: ASN.1 failed call to system time library while getting initial credentials
==> the tail prints
Mar 02 13:43:31 ipa02.office.my.domain krb5kdc[7971](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: ISSUE: authtime 1330692211, etypes {rep=18 tkt=18 ses=18}, admin for kadmin/changepw
- repeating the same steps fo a normal user does not reproduce the error:
[root@ipa02 ~]# kinit testuser
Password for testuser:
==>
Mar 02 13:47:00 ipa02.office.my.domain krb5kdc[7971](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: NEEDED_PREAUTH: testuser for krbtgt/MY.DOMAIN, Additional pre-authentication required
==> after typing password:
Mar 02 13:47:33 ipa02.office.my.domain krb5kdc[7970](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: ISSUE: authtime 1330692453, etypes {rep=18 tkt=18 ses=18}, testuser for krbtgt/MY.DOMAIN
- Repeat the change for admin with expiration time 20380119031408Z
[root@ipa02 ~]# kinit admin
Password for admin
==>
Mar 02 14:03:50 ipa02.office.my.domain krb5kdc[7971](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: CLIENT KEY EXPIRED: admin for krbtgt/MY.DOMAIN, Password has expired
Mar 02 14:03:50 ipa02.office.my.domain krb5kdc[7971](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: NEEDED_PREAUTH: admin for kadmin/changepw, Additional pre-authentication required
==> after typing password:
Password expired. You must change it now.
Enter new password:
==> the tail prints
Mar 02 14:04:00 ipa02.office.my.domain krb5kdc[7971](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: ISSUE: authtime 1330693440, etypes {rep=18 tkt=18 ses=18}, admin for kadmin/changepw
- Repeat the change for admin with expiration time 20380119031407Z (or lower)
Mar 02 14:11:43 ipa02.office.my.domain krb5kdc[7971](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: NEEDED_PREAUTH: admin for krbtgt/MY.DOMAIN, Additional pre-authentication required
==> after typing password:
Mar 02 14:11:55 ipa02.office.my.domain krb5kdc[7970](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: ISSUE: authtime 1330693915, etypes {rep=18 tkt=18 ses=18}, admin for krbtgt/MY.DOMAIN
Regards,
Joaquin
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2496 MIT is updating its capabilities to handle 32 bit unsigned time value. This would add another 68 years. We will pull it in when it is ready. Also we have several RFEs to allow passwords that never expire. We will be working on this feature some time early next year. Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux. Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as DEFERRED. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you. Note that you can still track this request or even contribute patches in the referred upstream Trac ticket. |