797333 – krbpasswordexpiration field in LDAP can not have value >= 20380119031408Z

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 797333 - krbpasswordexpiration field in LDAP can not have value >= 20380119031408Z

Summary: krbpasswordexpiration field in LDAP can not have value >= 20380119031408Z

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:	796641
Blocks:
TreeView+	depends on / blocked

Reported:	2012-02-25 00:27 UTC by Dmitri Pal
Modified:	2015-01-21 15:07 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	796641
Environment:
Last Closed:	2015-01-21 15:07:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Dmitri Pal 2012-02-25 00:27:28 UTC

+++ This bug was initially created as a clone of Bug #796641 +++

Description of problem:
kinit fails with the message:

kinit: ASN.1 failed call to system time library while getting initial
credentials

Or (krbpasswordexpiration == 20380119031408Z) tels you to change your password:
Password expired.  You must change it now.
Enter new password:



Version-Release number of selected component (if applicable):
krb5-server-1.9.2-6.fc16.x86_64
krb5-workstation-1.9.2-6.fc16.x86_64
freeipa-server-2.1.4-5.fc16.x86_64
389-ds-base-1.2.10-0.10.rc1.fc16.x86_64

How reproducible:
- 
- use "kinit <user>"



Steps to Reproduce:
1.
Use ldapmodify to change the value of "krbpasswordexpiration" to 20380119031408Z "<user>"

2. 
Use "kinit <user>" to get a ticket

3. repeat steps 1 and 2 with a value larger than 20380119031408Z

4. repeat steps 1 and 2 with a valu of 20380119031407Z or lower
  
Actual results:
2.
Password expired.  You must change it now.

3.
kinit: ASN.1 failed call to system time library while getting initial
credentials


Expected results:
- like in the case 4.
ticket granted, klist lists the ticket

Additional info:

Comment 2 Dmitri Pal 2012-02-26 17:55:02 UTC

Hello Joaquin,

I moved the bug here to the appropriate component. Please comment on this bug rather than on the original one.

So it is not clear what is the sequence of operations. Can you please be more specific? You install an IPA server, added user, did kinit and got the error? If it is different please describe. Also can you please attach kerberos and IPA logs so that we can troubleshoot the issue.

Thank you,
Dmitri

Comment 3 Joaquin 2012-03-02 13:17:51 UTC

Hi Dmitri,

Additional information: The error seems specific to the "admin" user!

Steps to reproduce:

- Installed latest IPA on Fedora 16 (see packages above)
- modified the expiration date for the "admin user":

change-admin-after.ldif:
------------------------
dn: uid=admin,cn=users,cn=accounts,dc=my,dc=domain
changetype: modify
replace: krbPasswordExpiration
krbPasswordExpiration: 20980119031407Z

# ldapmodify -x -D "cn=Directory Manager" -W -v -f change-admin-after.ldif
ldap_initialize( <DEFAULT> )
Enter LDAP Password: 
replace krbPasswordExpiration:
        20980119031407Z
modifying entry "uid=admin,cn=users,cn=accounts,dc=my,dc=domain"
modify complete


- look at the /var/log/krb5kdc.log while doing "kinit admin" in another screen
[root@ipa02 ~]# kinit admin
Password for admin:
        ==>
Mar 02 13:43:27 ipa02.office.my.domain krb5kdc[7970](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: CLIENT KEY EXPIRED: admin for krbtgt/MY.DOMAIN, Password has expired
Mar 02 13:43:27 ipa02.office.my.domain krb5kdc[7970](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: NEEDED_PREAUTH: admin for kadmin/changepw, Additional pre-authentication required

        ==> after typing password:
kinit: ASN.1 failed call to system time library while getting initial credentials
      ==> the tail prints
Mar 02 13:43:31 ipa02.office.my.domain krb5kdc[7971](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: ISSUE: authtime 1330692211, etypes {rep=18 tkt=18 ses=18}, admin for kadmin/changepw


- repeating the same steps fo a normal user does not reproduce the error:
[root@ipa02 ~]# kinit testuser
Password for testuser:
        ==>
Mar 02 13:47:00 ipa02.office.my.domain krb5kdc[7971](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: NEEDED_PREAUTH: testuser for krbtgt/MY.DOMAIN, Additional pre-authentication required

        ==> after typing password:
Mar 02 13:47:33 ipa02.office.my.domain krb5kdc[7970](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: ISSUE: authtime 1330692453, etypes {rep=18 tkt=18 ses=18}, testuser for krbtgt/MY.DOMAIN



- Repeat the change for admin with expiration time 20380119031408Z
[root@ipa02 ~]# kinit admin
Password for admin
        ==>
Mar 02 14:03:50 ipa02.office.my.domain krb5kdc[7971](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: CLIENT KEY EXPIRED: admin for krbtgt/MY.DOMAIN, Password has expired
Mar 02 14:03:50 ipa02.office.my.domain krb5kdc[7971](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: NEEDED_PREAUTH: admin for kadmin/changepw, Additional pre-authentication required

        ==> after typing password:
Password expired.  You must change it now.
Enter new password: 
      ==> the tail prints
Mar 02 14:04:00 ipa02.office.my.domain krb5kdc[7971](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: ISSUE: authtime 1330693440, etypes {rep=18 tkt=18 ses=18}, admin for kadmin/changepw

- Repeat the change for admin with expiration time 20380119031407Z (or lower)

Mar 02 14:11:43 ipa02.office.my.domain krb5kdc[7971](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: NEEDED_PREAUTH: admin for krbtgt/MY.DOMAIN, Additional pre-authentication required

        ==> after typing password:
Mar 02 14:11:55 ipa02.office.my.domain krb5kdc[7970](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: ISSUE: authtime 1330693915, etypes {rep=18 tkt=18 ses=18}, admin for krbtgt/MY.DOMAIN


Regards,

Joaquin

Comment 4 Dmitri Pal 2012-03-07 17:09:07 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2496

Comment 5 Dmitri Pal 2012-06-01 21:36:30 UTC

MIT is updating its capabilities to handle 32 bit unsigned time value. This would add another 68 years.
We will pull it in when it is ready.

Also we have several RFEs to allow passwords that never expire. We will be working on this feature some time early next year.

Comment 7 Martin Kosek 2015-01-21 15:07:42 UTC

Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as DEFERRED. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.

Note You need to log in before you can comment on or make changes to this bug.