Bug 828569 - IPA CLI: first time kinit rejects 8-bits string as password
IPA CLI: first time kinit rejects 8-bits string as password
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity medium
: rc
: ---
Assigned To: Martin Kosek
IDM QE LIST
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-04 18:09 EDT by Yi Zhang
Modified: 2016-01-29 08:00 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-29 08:00:52 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Yi Zhang 2012-06-04 18:09:15 EDT
Description of problem:
when user kinit at first time, 8-bit string can not be used as password. 
after the first kinit, user is be able to use 8-bit string as password. 

Version-Release number of selected component (if applicable):
[yi@fig (RH6.3-x86_64) ipa-password] rpm -qi ipa-server
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.2.0                             Vendor: Red Hat, Inc.
Release     : 16.el6                        Build Date: Sat 26 May 2012 07:13:12 PM PDT
Install Date: Mon 04 Jun 2012 10:03:47 AM PDT      Build Host: x86-007.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.2.0-16.el6.src.rpm
Size        : 3779984                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
Description :
IPA is an integrated solution to provide centrally managed Identity (machine,
user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof). If you are installing an IPA server you need
to install this package (in other words, most people should NOT install
this package).


How reproducible: always


Steps to Reproduce:
1. install ipa server
2. kinit as admin
3. create a new user : testuser13693
4. as admin, assign initial password : "redhat"
5. run "kinit testuser13693"
6. enter initial password "redhat"
7. for new passowrd, use : p.1000žX.1


  
Actual results:
[yi@fig (RH6.3-x86_64) ipa-password] kinit testuser13693
Password for testuser13693@YZHANG.REDHAT.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
Password change rejected: Password not changed.
Kerberos database constraints violated while trying to change password.
.  Please try again.
Comment 2 Rob Crittenden 2012-06-04 22:52:50 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2807
Comment 3 Dmitri Pal 2012-06-05 12:25:21 EDT
Please provide the exact steps on how it happens if you set it to something and then reset.
Comment 4 Rob Crittenden 2012-06-05 12:26:43 EDT
To be clear, you're saying that the password is rejected, but if you set it to something else, then try again to set it to the previously rejected password, it works?

Can you check the 389-ds-base error log to see if it has any additional information?
Comment 5 Yi Zhang 2012-06-05 13:10:56 EDT
test data: "p@^C00žX@1"

== test 1 ==

1. as admin, create ipa user "tuser01" , assign no password
ipa user-add tuser01 --first test --last 01

2. as admin, assign initial password "redhat"
ipa passwd tuser01

3. do kinit as user tuser01
[yi@fig (RH6.3-x86_64) ipa-password] kinit tuser01
Password for tuser01@YZHANG.REDHAT.COM:    <<---- <enter "redhat" here>
Password expired.  You must change it now. <<---- <enter "p@^C00žX@1" here>
Enter new password:                        <<---- <enter "p@^C00žX@1" here>
Enter it again: 
Password change rejected: Password not changed.
Kerberos database constraints violated while trying to change password.
.  Please try again.


== test 2 ==
1. as admin, change global password policy , set minclasses to < 5 
ipa-password] ipa pwpolicy-mod --minclasses=2 --minlife=0 --history=0

2. as admin, create ipa user "tuser02", assign no password
ipa user-add tuser02 --first test --last 02

2. as admin, assign initial password "redhat"
ipa passwd tuser02

3. as tuser02, do kinit (this is first time kinit), change password to "redhat001"
[yi@fig (RH6.3-x86_64) ipa-password] kinit tuser02
Password for tuser02@YZHANG.REDHAT.COM:       <<--- enter "redhat"
Password expired.  You must change it now.
Enter new password:                          <<--- enter "redhat001"
Enter it again:                              <<--- enter "redhat001"

4. as admin, change minclasses to 5
ipa pwpolicy-mod --minclasses=5

5. as tuser02, change password from "redhat001" to "p@^C00žX@1" -- this is success
[yi@fig (RH6.3-x86_64) ipa-password] kinit tuser02
Password for tuser02@YZHANG.REDHAT.COM:      <<---- enter "redhat001"
Password expired.  You must change it now.
Enter new password:                          <<---- enter "p@^C00žX@1"
Enter it again:                              <<---- enter "p@^C00žX@1"


==================== conclusion ===================
(1) test 2 proves: after kinit at first time, use 8-bit string as password is allowed. the feature works as design

(2) test 1 proves: use 8-bit string as password at first kinit fails -- this is not expected. 

(3) i see no error msg in dirsrv log file, no error msg in httpd log file, no error msg in krb5kdc file

(4) test 1 always fails regardless what are current password policy setting. i tried use "minclasses=5" "minclasses=1", the test results are the same.
Comment 6 Yi Zhang 2012-06-05 13:14:10 EDT
sorry, i post my test percedure so soon.

for test 2, i have two "step 2", this is just a mis-label. the overall order and logic is correct.
Comment 7 Rob Crittenden 2012-06-05 13:30:43 EDT
I still don't understand, it seems like you are comparing apples and oranges. What is the password policy when setting the password for tuser01?
Comment 8 Yi Zhang 2012-06-05 13:41:23 EDT
regardless the password policy setting, test 1 always fails. 

the rejection of 8-bit string as password only happenes when user do kinit at frist time. 

the purpose of test 2 is to show that after the very first kinit, 8-bit string does allow to be used as password.
Comment 14 Martin Kosek 2016-01-29 08:00:52 EST
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as WONTFIX. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.

Note You need to log in before you can comment on or make changes to this bug.