Bug 41617 - Samba 4.3: kinit message "Password has expired" changed to "No ENC-TS found"
Samba 4.3: kinit message "Password has expired" changed to "No ENC-TS found"
Status: CLOSED WORKSFORME
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Stefan Gohmann
Felix Botner
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-20 16:54 CEST by Arvid Requate
Modified: 2018-03-15 08:26 CET (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2016061621000275
Bug group (optional):
Max CVSS v3 score:


Attachments
kinit_KRB5KDC_ERR_NAME_EXP.log (2.87 KB, text/x-log)
2016-06-20 16:54 CEST, Arvid Requate
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-06-20 16:54:08 CEST
Created attachment 7755 [details]
kinit_KRB5KDC_ERR_NAME_EXP.log

During research for Ticket#: 2016061621000275 we discovered that there is a slight change of behaviour of kinit after updating to Samba 4.3.7:

When a user password has expired, kinit against a Samba 4.1.0 KDC clearly reports "Password has expired". After updating to Samba 4.3.7 this the error message changed to "No ENC-TS found", the default error message in Heimdal. The attached output of kinit with increased log level shows that the KDC reports error ID "-1765328361", which translates to the proper error message "Password has expired" (I used the code of Bug 38736 Comment 1 to find the corresponding error message from the system Heimdal libraries). Appart from this, everything else seems to work.

==============================================================================

## UCS 3.2-8 erratalevel 394
## Samba 2:4.1.0-1.821.201512142147

root@master30:~# udm users/user create \
                     --set username=dummy1 --set lastname=name1 \
                     --set password=univention --set pwdChangeNextLogin=1
Object created: uid=dummy1,dc=ar323i2,dc=qa


root@master30:~# kinit dummy1
dummy1@AR323I2.QA's Password: 
kinit: krb5_get_init_creds: Password has expired


## Update to UCS 3.2-8 erratalevel 435
## Samba 2:4.3.7-...

root@master30:~# kinit dummy1
dummy1@AR323I2.QA's Password: 
kinit: krb5_get_init_creds: No ENC-TS found

==============================================================================
Comment 1 Arvid Requate univentionstaff 2016-06-20 16:54:55 CEST
Same with UCS 4.1-0 (Samba 4.3.3).
Comment 2 Stefan Gohmann univentionstaff 2017-09-14 08:56:48 CEST
Worksforme:

root@master421:~# udm users/user create \
>                      --set username=dummy1 --set lastname=name1 \
>                      --set password=univention --set pwdChangeNextLogin=1
Object created: uid=dummy1,dc=deadlock42,dc=intranet
root@master421:~# kinit dummy1
dummy1@DEADLOCK42.INTRANET's Password: 
kinit: krb5_get_init_creds: Password has expired
root@master421:~# ucr search --brief version/
repository/mirror/version/end: <empty>
repository/mirror/version/start: <empty>
version/erratalevel: 164
version/patchlevel: 2
version/releasename: Lesum
version/version: 4.2
root@master421:~# samba -V
Version 4.6.1-Debian
root@master421:~#
Comment 3 Felix Botner univentionstaff 2017-09-15 15:09:46 CEST
OK

-> samba-tool domain passwordsettings set --max-pwd-age=2
-> samba-tool user create test1
-> kinit test1
test1@FOUR.TWO's Password: 
Your password will expire at Sun Sep 17 15:06:34 2017


-> service samba stop
-> date -s "Sep 15 15:06:46 CEST 2018"
-> service samba start

-> kinit test1
test1@FOUR.TWO's Password: 
kinit: krb5_get_init_creds: Password has expired
Comment 4 Stefan Gohmann univentionstaff 2018-03-15 08:26:00 CET
Nothing to release.