Univention Bugzilla – Bug 41617
Samba 4.3: kinit message "Password has expired" changed to "No ENC-TS found"
Last modified: 2018-03-15 08:26:00 CET
Created attachment 7755 [details] kinit_KRB5KDC_ERR_NAME_EXP.log During research for Ticket#: 2016061621000275 we discovered that there is a slight change of behaviour of kinit after updating to Samba 4.3.7: When a user password has expired, kinit against a Samba 4.1.0 KDC clearly reports "Password has expired". After updating to Samba 4.3.7 this the error message changed to "No ENC-TS found", the default error message in Heimdal. The attached output of kinit with increased log level shows that the KDC reports error ID "-1765328361", which translates to the proper error message "Password has expired" (I used the code of Bug 38736 Comment 1 to find the corresponding error message from the system Heimdal libraries). Appart from this, everything else seems to work. ============================================================================== ## UCS 3.2-8 erratalevel 394 ## Samba 2:4.1.0-1.821.201512142147 root@master30:~# udm users/user create \ --set username=dummy1 --set lastname=name1 \ --set password=univention --set pwdChangeNextLogin=1 Object created: uid=dummy1,dc=ar323i2,dc=qa root@master30:~# kinit dummy1 dummy1@AR323I2.QA's Password: kinit: krb5_get_init_creds: Password has expired ## Update to UCS 3.2-8 erratalevel 435 ## Samba 2:4.3.7-... root@master30:~# kinit dummy1 dummy1@AR323I2.QA's Password: kinit: krb5_get_init_creds: No ENC-TS found ==============================================================================
Same with UCS 4.1-0 (Samba 4.3.3).
Worksforme: root@master421:~# udm users/user create \ > --set username=dummy1 --set lastname=name1 \ > --set password=univention --set pwdChangeNextLogin=1 Object created: uid=dummy1,dc=deadlock42,dc=intranet root@master421:~# kinit dummy1 dummy1@DEADLOCK42.INTRANET's Password: kinit: krb5_get_init_creds: Password has expired root@master421:~# ucr search --brief version/ repository/mirror/version/end: <empty> repository/mirror/version/start: <empty> version/erratalevel: 164 version/patchlevel: 2 version/releasename: Lesum version/version: 4.2 root@master421:~# samba -V Version 4.6.1-Debian root@master421:~#
OK -> samba-tool domain passwordsettings set --max-pwd-age=2 -> samba-tool user create test1 -> kinit test1 test1@FOUR.TWO's Password: Your password will expire at Sun Sep 17 15:06:34 2017 -> service samba stop -> date -s "Sep 15 15:06:46 CEST 2018" -> service samba start -> kinit test1 test1@FOUR.TWO's Password: kinit: krb5_get_init_creds: Password has expired
Nothing to release.