kinit with expired password fails, patch
Stef Walter
stefw at gnome.org
Wed Apr 25 04:06:40 EDT 2012
When running kinit for an account with an expired password, kerberos
correctly tries to help the user to change it.
However, this is broken by the preauth use counts. The preauth use
counts need to be set to zero again before doing preauth for the
kadmin/changepw credential.
Attached is a patch which fixes this. Is there a more general solution?
I would be happy to update the patch if so.
Below are the before and after KRB5_TRACE logs, so you can see what's
going on.
Cheers,
Stef
BEFORE PATCH:
$ kinit Fry at AD.THEWALTER.LAN
[27835] 1335288806.200224: Getting initial credentials for
Fry at AD.THEWALTER.LAN
[27835] 1335288806.263291: Sending request (186 bytes) to AD.THEWALTER.LAN
[27835] 1335288806.290013: Resolving hostname dc.ad.thewalter.lan.
[27835] 1335288806.380297: Sending initial UDP request to dgram
192.168.12.10:88
[27835] 1335288806.381318: Received answer from dgram 192.168.12.10:88
[27835] 1335288806.381643: Response was not from master KDC
[27835] 1335288806.381674: Received error from KDC:
-1765328359/Additional pre-authentication required
[27835] 1335288806.381728: Processing preauth types: 16, 15, 19, 2
[27835] 1335288806.381744: Selected etype info: etype aes256-cts, salt
"AD.THEWALTER.LANFry", params ""
[27835] 1335288806.381774: Preauth module pkinit (16) (flags=1)
returned: 22/Invalid argument
[27835] 1335288806.381793: Preauth module pkinit (15) (flags=1)
returned: 22/Invalid argument
Password for Fry at AD.THEWALTER.LAN: xxxxxxxx
[27835] 1335288809.339650: AS key obtained for encrypted timestamp:
aes256-cts/1106
[27835] 1335288809.339749: Encrypted timestamp (for 1335288807.937224):
plain 301AA011180F32303132303432343137333332375AA10502030E4D08,
encrypted
99BB750ECB1C5AF8FC2D6F2E402070BE38DDA19C634C94AB031D6C10BB355D15F087BA990A3AA375AC984F5057F04FF35F3650E5A573FF48
[27835] 1335288809.339779: Preauth module encrypted_timestamp (2)
(flags=1) returned: 0/Unknown code 0
[27835] 1335288809.339790: Produced preauth for next request: 2
[27835] 1335288809.339825: Sending request (266 bytes) to AD.THEWALTER.LAN
[27835] 1335288809.340677: Resolving hostname dc.ad.thewalter.lan.
[27835] 1335288809.340989: Sending initial UDP request to dgram
192.168.12.10:88
[27835] 1335288809.342031: Received answer from dgram 192.168.12.10:88
[27835] 1335288809.342216: Response was not from master KDC
[27835] 1335288809.342233: Received error from KDC: -1765328361/Password
has expired
[27835] 1335288809.342262: Preauth tryagain input types: 16, 14, 19, 2
[27835] 1335288809.342273: Retrying AS request with master KDC
[27835] 1335288809.342279: Getting initial credentials for
Fry at AD.THEWALTER.LAN
[27835] 1335288809.342329: Sending request (186 bytes) to
AD.THEWALTER.LAN (master)
[27835] 1335288809.342619: Principal expired; getting changepw ticket
[27835] 1335288809.342633: Getting initial credentials for
Fry at AD.THEWALTER.LAN
[27835] 1335288812.409902: Setting initial creds service to kadmin/changepw
[27835] 1335290125.173663: Sending request (178 bytes) to AD.THEWALTER.LAN
[27835] 1335290125.184127: Resolving hostname dc.ad.thewalter.lan.
[27835] 1335290125.184544: Sending initial UDP request to dgram
192.168.12.10:88
[27835] 1335290125.185240: Received answer from dgram 192.168.12.10:88
[27835] 1335290125.185464: Response was not from master KDC
[27835] 1335290147.437464: Received error from KDC:
-1765328359/Additional pre-authentication required
[27835] 1335290222.807877: Processing preauth types: 16, 15, 19, 2
[27835] 1335290222.807915: Selected etype info: etype aes256-cts, salt
"AD.THEWALTER.LANFry", params ""
[27835] 1335290222.807922: Skipping previously used preauth module
pkinit (16)
[27835] 1335290222.807925: Skipping previously used preauth module
pkinit (15)
[27835] 1335290222.807929: Skipping previously used preauth module
encrypted_timestamp (2)
[27835] 1335290222.807932: Produced preauth for next request: (empty)
kinit: Generic preauthentication failure while getting initial credentials
AFTER PATCH:
$ kinit Fry at AD.THEWALTER.LAN
[22265] 1335295041.425163: Getting initial credentials for
Fry at AD.THEWALTER.LAN
[22265] 1335295041.488770: Sending request (186 bytes) to AD.THEWALTER.LAN
[22265] 1335295041.514301: Resolving hostname dc.ad.thewalter.lan.
[22265] 1335295041.584403: Sending initial UDP request to dgram
192.168.12.10:88
[22265] 1335295041.585491: Received answer from dgram 192.168.12.10:88
[22265] 1335295041.585883: Response was not from master KDC
[22265] 1335295041.585909: Received error from KDC:
-1765328359/Additional pre-authentication required
[22265] 1335295041.585958: Processing preauth types: 16, 15, 19, 2
[22265] 1335295041.585971: Selected etype info: etype aes256-cts, salt
"AD.THEWALTER.LANFry", params ""
[22265] 1335295041.586002: Preauth module pkinit (16) (flags=1)
returned: 22/Invalid argument
[22265] 1335295041.586018: Preauth module pkinit (15) (flags=1)
returned: 22/Invalid argument
Password for Fry at AD.THEWALTER.LAN: xxxxxxx
[22265] 1335295045.557548: AS key obtained for encrypted timestamp:
aes256-cts/E6FE
[22265] 1335295045.557627: Encrypted timestamp (for 1335295042.989059):
plain 301AA011180F32303132303432343139313732325AA10502030F1783,
encrypted
5F52CF4966874DAD1C4041392B98F2F81E0BBEBB5C05593E5B71ECFAB0E6C449B90715223D9EDAB10710A5C3DFAC3745C934719AE2064985
[22265] 1335295045.557679: Preauth module encrypted_timestamp (2)
(flags=1) returned: 0/Unknown code 0
[22265] 1335295045.557701: Produced preauth for next request: 2
[22265] 1335295045.557730: Sending request (266 bytes) to AD.THEWALTER.LAN
[22265] 1335295045.558365: Resolving hostname dc.ad.thewalter.lan.
[22265] 1335295045.558721: Sending initial UDP request to dgram
192.168.12.10:88
[22265] 1335295045.559556: Received answer from dgram 192.168.12.10:88
[22265] 1335295045.559778: Response was not from master KDC
[22265] 1335295045.559805: Received error from KDC: -1765328361/Password
has expired
[22265] 1335295045.559838: Preauth tryagain input types: 16, 14, 19, 2
[22265] 1335295045.559858: Retrying AS request with master KDC
[22265] 1335295045.559873: Getting initial credentials for
Fry at AD.THEWALTER.LAN
[22265] 1335295045.559928: Sending request (186 bytes) to
AD.THEWALTER.LAN (master)
[22265] 1335295045.560220: Principal expired; getting changepw ticket
[22265] 1335295045.560241: Getting initial credentials for
Fry at AD.THEWALTER.LAN
[22265] 1335295049.767716: Setting initial creds service to kadmin/changepw
[22265] 1335295053.773997: Sending request (178 bytes) to AD.THEWALTER.LAN
[22265] 1335295053.774781: Resolving hostname dc.ad.thewalter.lan.
[22265] 1335295053.775107: Sending initial UDP request to dgram
192.168.12.10:88
[22265] 1335295053.776035: Received answer from dgram 192.168.12.10:88
[22265] 1335295053.776315: Response was not from master KDC
[22265] 1335295053.776336: Received error from KDC:
-1765328359/Additional pre-authentication required
[22265] 1335295053.776373: Processing preauth types: 16, 15, 19, 2
[22265] 1335295053.776385: Selected etype info: etype aes256-cts, salt
"AD.THEWALTER.LANFry", params ""
[22265] 1335295053.776407: Preauth module pkinit (16) (flags=1)
returned: 22/Invalid argument
[22265] 1335295053.776424: Preauth module pkinit (15) (flags=1)
returned: 22/Invalid argument
[22265] 1335295053.800537: AS key obtained for encrypted timestamp:
aes256-cts/E6FE
[22265] 1335295053.800663: Encrypted timestamp (for 1335295051.225255):
plain 301AA011180F32303132303432343139313733315AA1050203036FE7,
encrypted
6CC5E1AE0F076B78A4EBF87B831CBE91F4DC5FFC808A29F4BD58A3760C79CA50A7B4B5AC968EEDB4BBD1F7664817EC18E8BBDEB051C88CA1
[22265] 1335295053.800684: Preauth module encrypted_timestamp (2)
(flags=1) returned: 0/Unknown code 0
[22265] 1335295053.800695: Produced preauth for next request: 2
[22265] 1335295053.800723: Sending request (256 bytes) to AD.THEWALTER.LAN
[22265] 1335295053.801329: Resolving hostname dc.ad.thewalter.lan.
[22265] 1335295053.801671: Sending initial UDP request to dgram
192.168.12.10:88
[22265] 1335295053.802802: Received answer from dgram 192.168.12.10:88
[22265] 1335295053.803060: Response was not from master KDC
[22265] 1335295056.885599: Processing preauth types: 19
[22265] 1335295056.885627: Selected etype info: etype aes256-cts, salt
"AD.THEWALTER.LANFry", params ""
[22265] 1335295056.885635: Produced preauth for next request: (empty)
[22265] 1335295056.885647: AS key determined by preauth: aes256-cts/E6FE
[22265] 1335295056.885746: Decrypted AS reply; session key is: rc4-hmac/9113
[22265] 1335295056.885769: FAST negotiation: unavailable
[22265] 1335295056.885828: Attempting password change; 3 tries remaining
Password expired. You must change it now.
Enter new password: My5password
Enter it again: My5password
[22265] 1335295070.608133: Creating authenticator for
Fry at AD.THEWALTER.LAN -> kadmin/changepw at AD.THEWALTER.LAN, seqnum 0,
subkey rc4-hmac/3C35, session key rc4-hmac/9113
[22265] 1335295070.612810: Resolving hostname dc.ad.thewalter.lan.
[22265] 1335295070.613226: Sending initial UDP request to dgram
192.168.12.10:464
[22265] 1335295070.690556: Received answer from dgram 192.168.12.10:464
[22265] 1335295070.690637: Read AP-REP, time 1335295068.608141, subkey
(null), seqnum 0
[22265] 1335295070.690680: Getting initial TGT with changed password
[22265] 1335295070.690687: Getting initial credentials for
Fry at AD.THEWALTER.LAN
[22265] 1335295070.690749: Sending request (186 bytes) to AD.THEWALTER.LAN
[22265] 1335295070.691219: Resolving hostname dc.ad.thewalter.lan.
[22265] 1335295070.691528: Sending initial UDP request to dgram
192.168.12.10:88
[22265] 1335295070.715363: Received answer from dgram 192.168.12.10:88
[22265] 1335295070.715624: Response was not from master KDC
[22265] 1335295070.715643: Received error from KDC:
-1765328359/Additional pre-authentication required
[22265] 1335295070.715676: Processing preauth types: 16, 15, 19, 2
[22265] 1335295070.715686: Selected etype info: etype aes256-cts, salt
"AD.THEWALTER.LANFry", params ""
[22265] 1335295070.715708: Preauth module pkinit (16) (flags=1)
returned: 22/Invalid argument
[22265] 1335295070.715725: Preauth module pkinit (15) (flags=1)
returned: 22/Invalid argument
[22265] 1335295070.737799: AS key obtained for encrypted timestamp:
aes256-cts/1E7B
[22265] 1335295070.737861: Encrypted timestamp (for 1335295068.164775):
plain 301AA011180F32303132303432343139313734385AA10502030283A7,
encrypted
6F9D850442A0D356F2EB278D1406A5086B8BEC6578DAB5076C400BF5A4F4F06704C199E5DF9CF2B21440A062112A4C84E21ABD1E15A1DB50
[22265] 1335295070.737879: Preauth module encrypted_timestamp (2)
(flags=1) returned: 0/Unknown code 0
[22265] 1335295070.737897: Produced preauth for next request: 2
[22265] 1335295070.737922: Sending request (266 bytes) to AD.THEWALTER.LAN
[22265] 1335295070.738374: Resolving hostname dc.ad.thewalter.lan.
[22265] 1335295070.738675: Sending initial UDP request to dgram
192.168.12.10:88
[22265] 1335295070.739661: Received answer from dgram 192.168.12.10:88
[22265] 1335295070.739920: Response was not from master KDC
[22265] 1335295070.739953: Processing preauth types: 19
[22265] 1335295070.739967: Selected etype info: etype aes256-cts, salt
"AD.THEWALTER.LANFry", params ""
[22265] 1335295070.739978: Produced preauth for next request: (empty)
[22265] 1335295070.739994: AS key determined by preauth: aes256-cts/1E7B
[22265] 1335295070.740058: Decrypted AS reply; session key is: rc4-hmac/6A1F
[22265] 1335295070.740071: FAST negotiation: unavailable
[22265] 1335295070.740108: Initializing FILE:/tmp/krb5cc_1000 with
default princ Fry at AD.THEWALTER.LAN
[22265] 1335295070.740359: Removing Fry at AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN at AD.THEWALTER.LAN from FILE:/tmp/krb5cc_1000
[22265] 1335295070.740377: Storing Fry at AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN at AD.THEWALTER.LAN in FILE:/tmp/krb5cc_1000
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Reset-preauth-use-counts-before-changing-expired-pas.patch
Type: text/x-patch
Size: 1004 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20120425/9e51974b/attachment.bin
More information about the krbdev
mailing list