Red Hat Bugzilla – Bug 427789
krb5 password changing uses incorrect sequence numbers for every server but the first
Last modified: 2008-05-21 11:28:32 EDT
Description of problem:
When the libkrb5 password-change routines generate a set-password or
change-password request, they do so in a way that the sequence number included
in password-change requests destined for any server after the first are incorrect.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Set multiple 'kpasswd_server' values for your realm in krb5.conf, with one
which is known-good listed second (or third, or in any position except the
2. Run 'kpasswd' to attempt to change your password.
You'll get a decryption error from the server.
Not the error.
After we solve the client-doesn't-try-to-change-passwords-over-TCP problem, we
hit this when the client attempts to connect to the password-change service over
TCP. My Windows Server 2003 box seems to ignore this, but it crops up with an
MIT server (heck, our own corporate server) and the FreeIPA kpasswd server.
Created attachment 290971 [details]
candidate patch which fixes this for me
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.