RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1651278 - IPA admin user password breaking
Summary: IPA admin user password breaking
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-19 15:25 UTC by Matt.Agresta@kuehne-nagel.com
Modified: 2023-09-14 04:42 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-15 13:37:20 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Matt.Agresta@kuehne-nagel.com 2018-11-19 15:25:13 UTC
Description of problem:
The admin user on both IPA servers has become unusable. Web logins and kinit show incorrect password. Password is set to expire '2073-08-09'. Other accounts in the IPA realm are working. /var/log/krb5kdc.log shows preauth failures on both masters, one server also has clock skew errors.

Version-Release number of selected component (if applicable):
[root@lxipaazan200s log]# rpm -qa | grep ipa
libipa_hbac-1.15.2-50.el7_4.2.x86_64
ipa-server-common-4.5.0-21.el7.centos.1.2.noarch
ipa-server-trust-ad-4.5.0-21.el7.centos.1.2.x86_64
python-ipaddress-1.0.16-2.el7.noarch
python-libipa_hbac-1.15.2-50.el7_4.2.x86_64
sssd-ipa-1.15.2-50.el7_4.2.x86_64
python2-ipalib-4.5.0-21.el7.centos.1.2.noarch
ipa-client-4.5.0-21.el7.centos.1.2.x86_64
ipa-server-4.5.0-21.el7.centos.1.2.x86_64
ipa-server-dns-4.5.0-21.el7.centos.1.2.noarch
ipa-common-4.5.0-21.el7.centos.1.2.noarch
ipa-client-common-4.5.0-21.el7.centos.1.2.noarch
python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch
python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch


How reproducible:


Steps to Reproduce:
1. kinit admin
2. enter password
3. kinit: Password incorrect while getting initial credentials

Actual results:
kinit: Password incorrect while getting initial credentials

Expected results:
Command executed without error, web login succeeds

Additional info:
[root@lxipaazan200s log]# kinit admin
Password for admin.INT.KN:
kinit: Password incorrect while getting initial credentials
[root@lxipaazan200s log]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/lxipaazan200s.ipa.us.int.kn.INT.KN
   2 host/lxipaazan200s.ipa.us.int.kn.INT.KN
   2 host/lxipaazan200s.ipa.us.int.kn.INT.KN
   2 host/lxipaazan200s.ipa.us.int.kn.INT.KN
   2 host/lxipaazan200s.ipa.us.int.kn.INT.KN
   2 host/lxipaazan200s.ipa.us.int.kn.INT.KN
[root@lxipaazan200s log]# kvno host/lxipaazan200s.ipa.us.int.kn.INT.KN
host/lxipaazan200s.ipa.us.int.kn.INT.KN: kvno = 2


Nov 19 10:01:28 lxipaazan200s.ipa.us.int.kn krb5kdc[64041](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.29.71.153: NEEDED_PREAUTH: admin.INT.KN for krbtgt/IPA.US.INT.KN.INT.KN, Additional pre-authentication required
Nov 19 10:01:28 lxipaazan200s.ipa.us.int.kn krb5kdc[64041](info): closing down fd 13
Nov 19 10:01:28 lxipaazan200s.ipa.us.int.kn krb5kdc[64042](info): AS_REQ (4 etypes {18 17 16 23}) 10.29.72.69: NEEDED_PREAUTH: host/lxotmazbn551s.us.int.kn.INT.KN for krbtgt/IPA.US.INT.KN.INT.KN, Additional pre-authentication required
Nov 19 10:01:28 lxipaazan200s.ipa.us.int.kn krb5kdc[64042](info): closing down fd 11
Nov 19 10:01:28 lxipaazan200s.ipa.us.int.kn krb5kdc[64041](info): AS_REQ (4 etypes {18 17 16 23}) 10.29.72.69: ISSUE: authtime 1542639688, etypes {rep=18 tkt=18 ses=18}, host/lxotmazbn551s.us.int.kn.INT.KN for krbtgt/IPA.US.INT.KN.INT.KN
Nov 19 10:01:28 lxipaazan200s.ipa.us.int.kn krb5kdc[64041](info): closing down fd 13
Nov 19 10:01:28 lxipaazan200s.ipa.us.int.kn krb5kdc[64042](info): TGS_REQ (4 etypes {18 17 16 23}) 10.29.72.69: ISSUE: authtime 1542639688, etypes {rep=18 tkt=18 ses=18}, host/lxotmazbn551s.us.int.kn.INT.KN for ldap/lxipaazan200s.ipa.us.int.kn.INT.KN
Nov 19 10:01:28 lxipaazan200s.ipa.us.int.kn krb5kdc[64042](info): closing down fd 11
Nov 19 10:01:31 lxipaazan200s.ipa.us.int.kn krb5kdc[64042](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed
Nov 19 10:01:31 lxipaazan200s.ipa.us.int.kn krb5kdc[64042](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.29.71.153: PREAUTH_FAILED: admin.INT.KN for krbtgt/IPA.US.INT.KN.INT.KN, Preauthentication failed

I also tried resetting the admin user password in DirSrv/LDAP. This works temporarily but eventually breaks in the same way.

Comment 2 Rob Crittenden 2018-11-19 15:39:14 UTC
Change the expiration to a date < 2038.

Comment 3 Matt.Agresta@kuehne-nagel.com 2018-11-19 15:52:56 UTC
(In reply to Rob Crittenden from comment #2)
> Change the expiration to a date < 2038.

Thanks. I changed the password policy, updated the password and logins are working now. I will monitor over the next couple of days.

Comment 4 Matt.Agresta@kuehne-nagel.com 2018-11-20 14:33:07 UTC
The password seemed to not be working again today. I reset it and its working now but I am guessing it will break again. Below are the logs. I am not sure if its related but I also see "Clock skew too great" messages in the krb5kdc.log

Nov 20 09:05:46 lxipaazan100s.ipa.us.int.kn krb5kdc[23506](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.29.71.151: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS.INT.KN for krbtgt/IPA.US.INT.KN.INT.KN, Additional pre-authentication required
Nov 20 09:05:46 lxipaazan100s.ipa.us.int.kn krb5kdc[23506](info): closing down fd 11
Nov 20 09:05:46 lxipaazan100s.ipa.us.int.kn krb5kdc[23506](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.29.71.151: ISSUE: authtime 1542722746, etypes {rep=18 tkt=18 ses=18}, WELLKNOWN/ANONYMOUS.INT.KN for krbtgt/IPA.US.INT.KN.INT.KN
Nov 20 09:05:46 lxipaazan100s.ipa.us.int.kn krb5kdc[23506](info): closing down fd 11
Nov 20 09:05:46 lxipaazan100s.ipa.us.int.kn krb5kdc[23507](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.29.71.151: NEEDED_PREAUTH: admin.INT.KN for krbtgt/IPA.US.INT.KN.INT.KN, Additional pre-authentication required
Nov 20 09:05:46 lxipaazan100s.ipa.us.int.kn krb5kdc[23507](info): closing down fd 11
Nov 20 09:05:46 lxipaazan100s.ipa.us.int.kn krb5kdc[23507](info): preauth (encrypted_challenge) verify failure: Incorrect password in encrypted challenge
Nov 20 09:05:46 lxipaazan100s.ipa.us.int.kn krb5kdc[23507](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.29.71.151: PREAUTH_FAILED: admin.INT.KN for krbtgt/IPA.US.INT.KN.INT.KN, Incorrect password in encrypted challenge
Nov 20 09:05:46 lxipaazan100s.ipa.us.int.kn krb5kdc[23507](info): closing down fd 11

Comment 5 Rob Crittenden 2018-11-20 14:48:48 UTC
Define "not working".

Correct time is critical for Kerberos to work properly.

Comment 6 Matt.Agresta@kuehne-nagel.com 2018-11-20 15:01:08 UTC
WEB UI login failed with incorrect password error, kinit admin also failed with incorrect credentials.

ntpq is showing the following for offset on both servers, are these offsets too large?

[root@lxipaazan100s log]# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*us.int.kn       209.51.161.238   2 u   77 1024  377    0.328    9.619   2.296
+denotsl1465.int 192.53.103.104   2 u  962 1024  377  109.724    4.270   1.908
+dns-ap.int.kn   193.225.118.163  3 u 1005 1024  377  223.230  -20.122   8.157

[root@lxipaazan200s ~]# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*nilxaza0110.us. 209.51.161.238   2 u   46   64  377    0.977    6.698   0.079
+denotsl1465.int 192.53.103.104   2 u   54   64  377  102.562    0.469   1.153
+dns-ap.int.kn   193.225.118.163  3 u   47   64  377  218.082  -29.055   4.347

Comment 7 Matt.Agresta@kuehne-nagel.com 2018-12-05 16:44:09 UTC
I have fixed my clock skew errors, but this issue persist. It seems to only happen with the admin account.

Dec 05 11:39:29 lxipaazan100s.ipa.us.int.kn krb5kdc[32591](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.29.71.151: NEEDED_PREAUTH: admin.INT.KN for krbtgt/IPA.US.INT.KN.INT.KN, Additional pre-authentication required
Dec 05 11:39:29 lxipaazan100s.ipa.us.int.kn krb5kdc[32591](info): closing down fd 10
Dec 05 11:39:31 lxipaazan100s.ipa.us.int.kn krb5kdc[32591](info): closing down fd 10
Dec 05 11:39:31 lxipaazan100s.ipa.us.int.kn krb5kdc[32590](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.29.66.153: ISSUE: authtime 1544027971, etypes {rep=18 tkt=18 ses=18}, host/lxadpazdn200s.us.int.kn.INT.KN for krbtgt/IPA.US.INT.KN.INT.KN
Dec 05 11:39:31 lxipaazan100s.ipa.us.int.kn krb5kdc[32590](info): closing down fd 10
Dec 05 11:39:32 lxipaazan100s.ipa.us.int.kn krb5kdc[32590](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed
Dec 05 11:39:32 lxipaazan100s.ipa.us.int.kn krb5kdc[32590](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.29.71.151: PREAUTH_FAILED: admin.INT.KN for krbtgt/IPA.US.INT.KN.INT.KN, Preauthentication failed

Comment 8 Rob Crittenden 2019-03-04 15:17:19 UTC
Is this still occurring? There should be no reason why only a single account would be affected by something like this.

Comment 9 Rob Crittenden 2019-04-08 14:21:51 UTC
Re-reading this you stated that the password expiration date was 2073-08-09. The date is stored as a 32-bit value so needs to be less than 2038.

Comment 10 François Cami 2019-04-15 13:37:20 UTC
We haven't heard from you in a while therefore I am closing this bug. Please feel free to reopen with the above required data if needed.

Comment 11 Red Hat Bugzilla 2023-09-14 04:42:31 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days


Note You need to log in before you can comment on or make changes to this bug.