Bug 1782492 - Max Password Lifetime in KDC policy is not being enforced
Summary: Max Password Lifetime in KDC policy is not being enforced
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5
Version: 7.7
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Robbie Harwood
QA Contact: Filip Dvorak
Josip Vilicic
URL: https://github.com/krb5/krb5/pull/1016
Whiteboard:
Depends On: 1784655
Blocks: 1788833
TreeView+ depends on / blocked
 
Reported: 2019-12-11 17:38 UTC by afox@redhat.com
Modified: 2023-03-24 16:24 UTC (History)
5 users (show)

Fixed In Version: krb5-1.15.1-50.el7
Doc Type: Bug Fix
Doc Text:
.KDCs now correctly enforce password lifetime policy from LDAP backends Previously, non-IPA Kerberos Distribution Centers (KDCs) did not ensure maximum password lifetimes because the Kerberos LDAP backend incorrectly enforced password policies. With this update, the Kerberos LDAP backend has been fixed, and password lifetimes behave as expected.
Clone Of:
: 1784655 (view as bug list)
Environment:
Last Closed: 2020-09-29 20:19:38 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:3982 0 None None None 2020-09-29 20:19:45 UTC

Description afox@redhat.com 2019-12-11 17:38:36 UTC 
Description of problem:
The KDC is using an LDAP backend.  The default password policy is configure with a max password lifetime of 90 days, which is correctly shown in the policy but when a new KDC principal is created using this policy, the password expiration date is incorrectly set to [never].

Version-Release number of selected component (if applicable):
RHEL 7.7
krb5-libs-1.15.1-37.el7_7.2.x86_64
sssd-krb5-common-1.16.4-21.el7_7.1.x86_64
krb5-server-ldap-1.15.1-37.el7_7.2.x86_64
krb5-workstation-1.15.1-37.el7_7.2.x86_64
krb5-server-1.15.1-37.el7_7.2.x86_64
sssd-krb5-1.16.4-21.el7_7.1.x86_64

How reproducible:
Always

Steps to Reproduce:
# kadmin -p jwuser/admin
Authenticating as principal jwuser/admin with password.
Password for jwuser/admin: 
kadmin:  getpol default
Policy: default
Maximum password life: 90 days 00:00:00
Minimum password life: 1 day 00:00:00
Minimum password length: 8
Minimum number of password character classes: 2
Number of old keys kept: 6
Maximum password failures before lockout: 6
Password failure count reset interval: 0 days 00:00:00
Password lockout duration: 0 days 00:00:00

kadmin:  addprinc -pw Testpass20 -policy default zzuser20
Principal "zzuser20" created.


kadmin:  getprinc zzuser20
Principal: zzuser20
Expiration date: [never]
Last password change: Fri Nov 29 11:25:47 EST 2019
Password expiration date: [never]  <<<<<< Note this is incorrect - should be 90 days from now
Maximum ticket life: 0 days 08:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Nov 29 11:25:47 EST 2019 (jwuser/admin)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, aes128-cts-hmac-sha1-96
Key: vno 1, des3-cbc-sha1
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default
kadmin:  quit

Actual results:
Password expiry is set to never

Expected results:
Password expiry should be set to 90 days

Additional info:
The actual LDAP backend entries (created using kadmin commands) are shown below.

# ldapsearch -LLL -o ldif-wrap=no -H ldaps://icl-ldapkdc-vm7.nam.nsroot.net -D"cn=directory manager" -W -b "cn=JW.NET,cn=jw,cn=kdb" -s one cn=default
Enter LDAP Password: 
dn: cn=default,cn=JW.NET,cn=jw,cn=kdb
objectClass: top
objectClass: krbPwdPolicy
cn: default
krbPwdMinDiffChars: 2
krbMinPwdLife: 86400
krbPwdHistoryLength: 6
krbPwdMinLength: 8
krbPwdFailureCountInterval: 0
krbPwdMaxRenewableLife: 0
krbPwdMaxFailure: 6
krbMaxPwdLife: 7776000
krbPwdAttributes: 0
krbPwdMaxLife: 0
krbPwdLockoutDuration: 0

[Dev root @ vm-e58a-f8a4 /var/opt/dsee/slapd-unix/config/schema]
# ldapsearch -LLL -o ldif-wrap=no -H ldaps://icl-ldapkdc-vm7.nam.nsroot.net -D"cn=directory manager" -W -b "cn=JW.NET,cn=jw,cn=kdb" -s one krbprincipalname=zzuser20*
Enter LDAP Password: 
dn: krbprincipalname=zzuser20,cn=JW.NET,cn=jw,cn=kdb
objectClass: top
objectClass: krbprincipal
objectClass: krbTicketPolicyAux
objectClass: krbprincipalaux
krbPwdPolicyReference: cn=default,cn=JW.NET,cn=jw,cn=kdb
krbLastPwdChange: 20191129162547Z
krbExtraData:: AAKLRuFdanc4MzExMy9hZG1pbkBKVy5ORVQA
krbExtraData:: AAgBAA==
krbLoginFailedCount: 0
krbPrincipalName: zzuser20
krbPrincipalKey:: MIGuoAMCAQGhAwIBAaIDAgEBowMCAQGkgZcwgZQwRKAHMAWgAwIBAKE5MDegAwIBEaEwBC4QAFSgV44UHFEaQj2dpP/WYARNPFDrbAO7PzUrT7K8iF4M5fqgvl7WzPlNLynKMEygBzAFoAMCAQChQTA/oAMCARChOAQ2GAAsSi4s37Qb+dsgFBR2n+znWZto9tod9nxYzoWLUCZxcuI5hKhV5DBTkBBAZzMmyqKr9rHa
Comment 2 afox@redhat.com 2019-12-11 17:45:22 UTC 
After a login (kinit), it does not change the PW expiration date.  

However, when testing the customer had forgotten the password for zzuser20 and reset it and noticed that the process of resetting the password did activate the PW expiration date.
It looks like there is a bug where the password expiration is not set the first time the account is created.

Firstly, the example for zzuser21 (customer created another new user with the default password policy):

Account created - note password expiration is not correctly set

-bash-4.2$ kadmin -p jwuser/admin
Couldn't open log file /var/log/kadmin.log: Permission denied
Authenticating as principal jwuser/admin with password.
Password for jwuser/admin: 
kadmin:   addprinc -policy default zzuser21
Enter password for principal "zzuser21": 
Re-enter password for principal "zzuser21": 
Principal "zzuser21" created.
kadmin:  getprinc zzuser21
Principal: zzuser21
Expiration date: [never]
Last password change: Mon Dec 09 10:18:01 EST 2019
Password expiration date: [never]
Maximum ticket life: 0 days 08:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Dec 09 10:18:01 EST 2019 (jwuser/admin)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, aes128-cts-hmac-sha1-96
Key: vno 1, des3-cbc-sha1
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default
kadmin:  quit

Now Login as user and recheck - note PW expiration is still not correctly set

-bash-4.2$ kinit zzuser21
Password for zzuser21: 
-bash-4.2$ kadmin -p jwuser/admin
Couldn't open log file /var/log/kadmin.log: Permission denied
Authenticating as principal jwuser/admin with password.
Password for jwuser/admin: 
kadmin:  getprinc zzuser21
Principal: zzuser21
Expiration date: [never]
Last password change: Mon Dec 09 10:18:01 EST 2019
Password expiration date: [never]
Maximum ticket life: 0 days 08:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Dec 09 10:18:01 EST 2019 (jwuser/admin)
Last successful authentication: Mon Dec 09 10:18:23 EST 2019
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, aes128-cts-hmac-sha1-96
Key: vno 1, des3-cbc-sha1
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default

Now change password : Note that PW expiration is now correctly set

kadmin:  cpw zzuser21
Enter password for principal "zzuser21": 
Re-enter password for principal "zzuser21": 
Password for "zzuser21" changed.
kadmin:  getprinc zzuser21
Principal: zzuser21
Expiration date: [never]
Last password change: Mon Dec 09 10:19:04 EST 2019
Password expiration date: Sun Mar 08 11:19:04 EDT 2020
Maximum ticket life: 0 days 08:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Dec 09 10:19:04 EST 2019 (jwuser/admin)
Last successful authentication: Mon Dec 09 10:18:23 EST 2019
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 2, aes128-cts-hmac-sha1-96
Key: vno 2, des3-cbc-sha1
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default

The same applies to the existing zzuser20 account.  When the customer reset the password because he had forgotten it, the PW expiration became correctly set.

-bash-4.2$ kadmin -p jwuser/admin
Couldn't open log file /var/log/kadmin.log: Permission denied
Authenticating as principal jwuser/admin with password.
Password for jwuser/admin: 
kadmin:  getprinc zzuser20
Principal: zzuser20
Expiration date: [never]
Last password change: Fri Nov 29 11:25:47 EST 2019
Password expiration date: [never]
Maximum ticket life: 0 days 08:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Nov 29 11:25:47 EST 2019 (jwuser/admin)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, aes128-cts-hmac-sha1-96
Key: vno 1, des3-cbc-sha1
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default
kadmin:  quit

kadmin:  cpw zzuser20
Enter password for principal "zzuser20": 
Re-enter password for principal "zzuser20": 
Password for "zzuser20" changed.

kadmin:  getprinc zzuser20
Principal: zzuser20
Expiration date: [never]
Last password change: Mon Dec 09 10:16:28 EST 2019
Password expiration date: Sun Mar 08 11:16:28 EDT 2020
Maximum ticket life: 0 days 08:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Dec 09 10:16:28 EST 2019 (jwuser/admin)
Last successful authentication: [never]
Last failed authentication: Mon Dec 09 10:15:52 EST 2019
Failed password attempts: 0
Number of keys: 2
Key: vno 2, aes128-cts-hmac-sha1-96
Key: vno 2, des3-cbc-sha1
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default
kadmin:  quit
Comment 22 errata-xmlrpc 2020-09-29 20:19:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (krb5 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3982
Note You need to log in before you can comment on or make changes to this bug.