Univention Bugzilla – Bug 30840
strange kinit password change behaviour on a samba4 DC
Last modified: 2017-08-08 07:09:39 CEST
kinit password change behaviour on a samba4 DC is a bit strange: 1. sometimes it says 'Password incorrect' in the end, although the password change succeeded 2. sometimes it says 'krb5_get_init_creds: No ENC-TS found' in the end, although the password change succeeded 3. you never have a ticket after a kinit password change (That's a bit like if you would not be logged in after an ssh/pam password change). ## Password change behaviour #1 root@master10:~# udm users/user modify --dn uid=user4,cn=users,dc=arucs31i0,dc=qa --set pwdChangeNextLogin=1 root@backup11:~# kinit user4 user4@ARUCS31I0.QA's Password: Your password will expire at Thu Jan 1 01:00:00 1970 Changing password New password: Repeat new password: Success: Password changed kinit: Password incorrect root@backup11:~# klist klist: No ticket file: /tmp/krb5cc_0 root@backup11:~# kinit user4 user4@ARUCS31I0.QA's Password: root@backup11:~# kdestroy root@backup11:~# ## Password change behaviour #2 root@master10:~# udm users/user modify --dn uid=user4,cn=users,dc=arucs31i0,dc=qa --set pwdChangeNextLogin=1 root@backup11:~# kinit user4 user4@ARUCS31I0.QA's Password: Your password will expire at Thu Jan 1 01:00:00 1970 Changing password New password: Repeat new password: Success: Password changed kinit: krb5_get_init_creds: No ENC-TS found root@backup11:~# klist klist: No ticket file: /tmp/krb5cc_0 root@backup11:~# kinit user4 user4@ARUCS31I0.QA's Password: root@backup11:~# kdestroy root@backup11:~#
maybe related: http://forum.univention.de/viewtopic.php?f=48&t=2709 From my point of view it should be checked if this behaviour is really related to Samba 4. Depencies to kinit itself are possible candidates.
I guess this is what happens: 2. "krb5_get_init_creds: No ENC-TS found" This message seems to indicate that the password is expired (see e.g. http://www.pdc.kth.se/resources/software/login-1/kinit-error-messages ). This in turn indicates that the KDC that kinit contacts for re-authentication with the new password (after changing it) is not yet aware of the fact that it has been changed successfully. And indeed ucr set kerberos/defaults/dns_lookup_kdc=false kerberos/kdc=127.0.0.1:88 fixes this message. This will be fixed via Bug 29291 in UCS 3.2. Unfortunately this brings up the error message number 1: 1. Success: Password changed\n\nkinit: Password incorrect This smells a bit like a race condition, and a posting by a Debian maintainer seems to confirm this assumption: http://comments.gmane.org/gmane.comp.encryption.kerberos.heimdal.general/6626 As a result, no ticket is obtained. As a workaround kinit can be repeated manually with the new password.
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
This issue has been filed against UCS 3.1. UCS 3.1 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.