Hide Forgot
+++ This bug was initially created as a clone of Bug #796641 +++ Description of problem: kinit fails with the message: kinit: ASN.1 failed call to system time library while getting initial credentials Or (krbpasswordexpiration == 20380119031408Z) tels you to change your password: Password expired. You must change it now. Enter new password: Version-Release number of selected component (if applicable): krb5-server-1.9.2-6.fc16.x86_64 krb5-workstation-1.9.2-6.fc16.x86_64 freeipa-server-2.1.4-5.fc16.x86_64 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 How reproducible: - - use "kinit <user>" Steps to Reproduce: 1. Use ldapmodify to change the value of "krbpasswordexpiration" to 20380119031408Z "<user>" 2. Use "kinit <user>" to get a ticket 3. repeat steps 1 and 2 with a value larger than 20380119031408Z 4. repeat steps 1 and 2 with a valu of 20380119031407Z or lower Actual results: 2. Password expired. You must change it now. 3. kinit: ASN.1 failed call to system time library while getting initial credentials Expected results: - like in the case 4. ticket granted, klist lists the ticket Additional info:
Hello Joaquin, I moved the bug here to the appropriate component. Please comment on this bug rather than on the original one. So it is not clear what is the sequence of operations. Can you please be more specific? You install an IPA server, added user, did kinit and got the error? If it is different please describe. Also can you please attach kerberos and IPA logs so that we can troubleshoot the issue. Thank you, Dmitri
Hi Dmitri, Additional information: The error seems specific to the "admin" user! Steps to reproduce: - Installed latest IPA on Fedora 16 (see packages above) - modified the expiration date for the "admin user": change-admin-after.ldif: ------------------------ dn: uid=admin,cn=users,cn=accounts,dc=my,dc=domain changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 20980119031407Z # ldapmodify -x -D "cn=Directory Manager" -W -v -f change-admin-after.ldif ldap_initialize( <DEFAULT> ) Enter LDAP Password: replace krbPasswordExpiration: 20980119031407Z modifying entry "uid=admin,cn=users,cn=accounts,dc=my,dc=domain" modify complete - look at the /var/log/krb5kdc.log while doing "kinit admin" in another screen [root@ipa02 ~]# kinit admin Password for admin: ==> Mar 02 13:43:27 ipa02.office.my.domain krb5kdc[7970](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: CLIENT KEY EXPIRED: admin for krbtgt/MY.DOMAIN, Password has expired Mar 02 13:43:27 ipa02.office.my.domain krb5kdc[7970](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: NEEDED_PREAUTH: admin for kadmin/changepw, Additional pre-authentication required ==> after typing password: kinit: ASN.1 failed call to system time library while getting initial credentials ==> the tail prints Mar 02 13:43:31 ipa02.office.my.domain krb5kdc[7971](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: ISSUE: authtime 1330692211, etypes {rep=18 tkt=18 ses=18}, admin for kadmin/changepw - repeating the same steps fo a normal user does not reproduce the error: [root@ipa02 ~]# kinit testuser Password for testuser: ==> Mar 02 13:47:00 ipa02.office.my.domain krb5kdc[7971](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: NEEDED_PREAUTH: testuser for krbtgt/MY.DOMAIN, Additional pre-authentication required ==> after typing password: Mar 02 13:47:33 ipa02.office.my.domain krb5kdc[7970](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: ISSUE: authtime 1330692453, etypes {rep=18 tkt=18 ses=18}, testuser for krbtgt/MY.DOMAIN - Repeat the change for admin with expiration time 20380119031408Z [root@ipa02 ~]# kinit admin Password for admin ==> Mar 02 14:03:50 ipa02.office.my.domain krb5kdc[7971](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: CLIENT KEY EXPIRED: admin for krbtgt/MY.DOMAIN, Password has expired Mar 02 14:03:50 ipa02.office.my.domain krb5kdc[7971](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: NEEDED_PREAUTH: admin for kadmin/changepw, Additional pre-authentication required ==> after typing password: Password expired. You must change it now. Enter new password: ==> the tail prints Mar 02 14:04:00 ipa02.office.my.domain krb5kdc[7971](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: ISSUE: authtime 1330693440, etypes {rep=18 tkt=18 ses=18}, admin for kadmin/changepw - Repeat the change for admin with expiration time 20380119031407Z (or lower) Mar 02 14:11:43 ipa02.office.my.domain krb5kdc[7971](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: NEEDED_PREAUTH: admin for krbtgt/MY.DOMAIN, Additional pre-authentication required ==> after typing password: Mar 02 14:11:55 ipa02.office.my.domain krb5kdc[7970](info): AS_REQ (4 etypes {18 17 16 23}) 10.183.26.12: ISSUE: authtime 1330693915, etypes {rep=18 tkt=18 ses=18}, admin for krbtgt/MY.DOMAIN Regards, Joaquin
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2496
MIT is updating its capabilities to handle 32 bit unsigned time value. This would add another 68 years. We will pull it in when it is ready. Also we have several RFEs to allow passwords that never expire. We will be working on this feature some time early next year.
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux. Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as DEFERRED. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you. Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.