Univention Bugzilla – Bug 37474
Changing password failed: user without posix,pki: Current kerberos password
Last modified: 2015-11-20 15:26:56 CET
Changing the password via the new 'Change password' module in UMC failed with a specific user: Only the options are activated: Samba-Konto Kerberos Prinzipal I could not reproduce this on my own system, maybe it has to do with some other attributes? The krb5Key attribute looks wrong (3 lines are the same). MAIN ( INFO ) : Changing password of user 'froh' AUTH ( WARN ) : Changing password failed (('Benutzer bei zu Grunde liegendem Authentifizierungsmodul nicht bekannt', 10)). Prompts: ['Current Kerberos password: '] # univention-ldapsearch -xLLL uid=froh | ldapsearch-wrapper dn: uid=froh,cn=users,dc=dirk,dc=singlemaster,dc=intranet ownCloudEnabled: 1 sambaMungedDial: bQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABkAAEAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAFABoACAABAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwAYQBnAHMAMQAwMDAwMDEwMA== displayName: Froh uid: froh krb5PrincipalName: froh@DIRK.SINGLEMASTER.INTRANET univentionObjectType: users/user krb5Key:: MFihKzApoAMCARKhIgQg38fYaY0RX3c1a1soCLouCYVROgvEAdlA8Mvpg8MZm/OiKTAnoAMCAQOhIAQeRElSSy5TSU5HTEVNQVNURVIuSU5UUkFORVRmcm9o krb5Key:: MEihGzAZoAMCARGhEgQQ3atVXHVZ1vaV/qePT/PPiKIpMCegAwIBA6EgBB5ESVJLLlNJTkdMRU1BU1RFUi5JTlRSQU5FVGZyb2g= krb5Key:: MFChIzAhoAMCARChGgQYhR+JhkAB/Vd85T6XcIXyiXmn3IUHkYkfoikwJ6ADAgEDoSAEHkRJUksuU0lOR0xFTUFTVEVSLklOVFJBTkVUZnJvaA== krb5Key:: MEihGzAZoAMCARehEgQQyqEjnUTaft+Sa8459cZdD6IpMCegAwIBA6EgBB5ESVJLLlNJTkdMRU1BU1RFUi5JTlRSQU5FVGZyb2g= krb5Key:: MEChEzARoAMCAQOhCgQIhbxUxGfgiROiKTAnoAMCAQOhIAQeRElSSy5TSU5HTEVNQVNURVIuSU5UUkFORVRmcm9o krb5Key:: MEChEzARoAMCAQKhCgQIhbxUxGfgiROiKTAnoAMCAQOhIAQeRElSSy5TSU5HTEVNQVNURVIuSU5UUkFORVRmcm9o krb5Key:: MEChEzARoAMCAQGhCgQIhbxUxGfgiROiKTAnoAMCAQOhIAQeRElSSy5TSU5HTEVNQVNURVIuSU5UUkFORVRmcm9o pwhistory: $6$/zjrDRS2tsshQ5S3$iJinyiJcMLspjc2VnrRd9DgWKBaBa0Zkl/iREfsnbk7HIcp.7Cben.EI4FobUY8zUHGkCljoZ4qiahCXimHhS/ sambaAcctFlags: [U ] krb5MaxRenew: 604800 sambaSID: S-1-4-2010 sn: Froh edyouLoginAllowed: 1 krb5MaxLife: 86400 sambaNTPassword: CAA1239D44DA7EDF926BCE39F5C65D0F cn: Froh objectClass: top objectClass: person objectClass: univentionPWHistory objectClass: sambaSamAccount objectClass: krb5Principal objectClass: krb5KDCEntry objectClass: ownCloudUser objectClass: edyouSettings objectClass: univentionObject objectClass: univentionPolicyReference objectClass: uidObject objectClass: simpleSecurityObject objectClass: pkiUser userPassword:: e2NyeXB0fSQ2JGhBdlVKRnoyWlVVaEhHcGgkNFBjY2NISGc5d0p1d1FiazM0dGlzSHNBN3BFYURzUGFkWEVoWEhFMWFTTFdUQlBSblBUaWV0N0l3TGg3TXJ4Um9lcjVZOTNTbWgvQTNCaU9GazNOSTE= sambaPasswordHistory: D97918ADCEDCD0E681B2119EE0C3924A4B656B3722B0F3C6232DCDD8425476E4BF48D6E8813AFF58B1D866AFE45A40DD0CE3D3E2844141B81348BBD0D97CF0FE krb5KDCFlags: 126 krb5KeyVersionNumber: 2 sambaPwdLastSet: 1420576424 univentionPolicyReference: cn=default-umc-all,cn=UMC,cn=policies,dc=dirk,dc=singlemaster,dc=intranet
Samba 4 / Heimdal? Do you have any kerberos logs?
Which information do you need if I am able to reproduce this? * dpkg -l heimdal-kdc samba4 * /var/log/heimdal-kdc.log Currently I can only provoke another failure: Passwort ändern fehlgeschlagen. Der Grund konnte nicht festgestellt werden. Für den Fall, dass es hilft, hier die originale Fehlernachricht: gensec_update failed: NT_STATUS_LOGON_FAILURE Feb 7 16:25:49 ucs-4352 python2.7: pam_unix(univention-management-console:chauthtok): user "bug37474" does not exist in /etc/passwd ==> heimdal-kdc.log <== 2015-02-07T16:25:48 AS-REQ bug37474@MYDOMAIN.INTRANET">bug37474@MYDOMAIN.INTRANET from IPv4:127.0.0.1 for kadmin/changepw@MYDOMAIN.INTRANET 2015-02-07T16:25:48 Client sent patypes: REQ-ENC-PA-REP 2015-02-07T16:25:48 Looking for PK-INIT(ietf) pa-data -- bug37474@MYDOMAIN.INTRANET">bug37474@MYDOMAIN.INTRANET 2015-02-07T16:25:48 Looking for PK-INIT(win2k) pa-data -- bug37474@MYDOMAIN.INTRANET">bug37474@MYDOMAIN.INTRANET 2015-02-07T16:25:48 Looking for ENC-TS pa-data -- bug37474@MYDOMAIN.INTRANET">bug37474@MYDOMAIN.INTRANET 2015-02-07T16:25:48 Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ 2015-02-07T16:25:48 sending 310 bytes to IPv4:127.0.0.1 2015-02-07T16:25:49 AS-REQ bug37474@MYDOMAIN.INTRANET">bug37474@MYDOMAIN.INTRANET from IPv4:127.0.0.1 for kadmin/changepw@MYDOMAIN.INTRANET 2015-02-07T16:25:49 Client sent patypes: ENC-TS, REQ-ENC-PA-REP 2015-02-07T16:25:49 Looking for PK-INIT(ietf) pa-data -- bug37474@MYDOMAIN.INTRANET">bug37474@MYDOMAIN.INTRANET 2015-02-07T16:25:49 Looking for PK-INIT(win2k) pa-data -- bug37474@MYDOMAIN.INTRANET">bug37474@MYDOMAIN.INTRANET 2015-02-07T16:25:49 Looking for ENC-TS pa-data -- bug37474@MYDOMAIN.INTRANET">bug37474@MYDOMAIN.INTRANET 2015-02-07T16:25:49 ENC-TS Pre-authentication succeeded -- bug37474@MYDOMAIN.INTRANET">bug37474@MYDOMAIN.INTRANET using aes256-cts-hmac-sha1-96 2015-02-07T16:25:49 ENC-TS pre-authentication succeeded -- bug37474@MYDOMAIN.INTRANET">bug37474@MYDOMAIN.INTRANET 2015-02-07T16:25:49 AS-REQ authtime: 2015-02-07T16:25:49 starttime: unset endtime: 2015-02-07T16:30:49 renew till: unset 2015-02-07T16:25:49 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 2015-02-07T16:25:49 sending 732 bytes to IPv4:127.0.0.1
Ticket#2015070821000254
The reason is that the kerberos server is down. UCS 4.1 shows 'Make sure the kerberos service is functioning or inform an Administrator.' as error message. I think we can't do more than that?! So I am closing this as WORKFORME. For non-posix&non-kerberos users we have got Bug #39636.