[Bug 715765] Re: Can't change kerberos password, pam-krb5 try_first_pass also fails

Russ Allbery rra at debian.org
Wed Apr 25 19:57:58 UTC 2012 

This bug was introduced in MIT Kerberos 1.10.  After a failing
authentication with preauth required in a particular Kerberos context,
all subsequent authentications in that context that require preauth will
fail.  Upstream has fixed this with commit 25822.

This is a fairly serious issue, blocking not only password change but
any other situation where multiple passwords are tried in the same
context, such as try_first_pass with PAM modules.  You may want to try
to fix this before the precise release.

** Summary changed:

- Can't change kerberos password
+ Can't change kerberos password, pam-krb5 try_first_pass also fails

** Changed in: krb5 (Ubuntu)
       Status: Triaged => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/715765

Title:
  Can't change kerberos password, pam-krb5 try_first_pass also fails

Status in “krb5” package in Ubuntu:
  Confirmed

Bug description:
  $ kpasswd
  Password for user at EXAMPLE.COM: 
  Enter new password: 
  Enter it again: 
  Server error: Failed decrypting request

  Trying with passwd:
  $ passwd
  Ändern des Passworts für user.
  (aktuelles) UNIX-Passwort: 
  passwd: Fehler beim Ändern des Authentifizierungstoken
  passwd: password unchanged

  It is impossible to change the password. /etc/krb5.conf:
  [libdefaults]
          default_realm = EXAMPLE.COM
          dns_lookup_kdc = false
          dns_lookup_realm = false
          kdc_timesync = 1
          ccache_type = 4
          no-addresses = true
          forwardable = true
          proxiable = true

  [realms]
          EXAMPLE.COM = {
                  kdc = 192.168.1.4
                  admin_server = 192.168.1.4
                  default_domain = example.com
          }

  [domain_realm]
          .example.com = EXAMPLE.COM
          example.com = EXAMPLE.COM

  [login]
          krb4_convert = true
          krb4_get_tickets = false

  [logging]
          default = FILE:/var/log/kerberos/krb5lib.log

  
  I'll handed a tgt login in:
  $ klist -f5
  Ticket cache: FILE:/tmp/krb5cc_2023
  Default principal: user at EXAMPLE.COM

  Valid starting     Expires            Service principal
  02/07/11 14:49:30  02/08/11 00:49:30  krbtgt/EXAMPLE.COM at EXAMPLE.COM
          renew until 02/08/11 14:49:31, Flags: FPRIA
  02/07/11 18:28:29  02/08/11 00:49:30  host/srv.example.com at EXAMPLE.COM
          renew until 02/08/11 14:49:31, Flags: FPRAT
  $

  I can call kadmin:
  $ kadmin
  Authenticating as principal user/admin at EXAMPLE.COM with password.
  Password for user/admin at EXAMPLE.COM: 
  kadmin:  

  It is no problem to change the password then.
  None of the hosts has IPv6-Addresses. There all at IPv4.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: krb5-user 1.8.1+dfsg-5ubuntu0.2
  Uname: Linux 2.6.36.3 x86_64
  Architecture: amd64
  Date: Wed Feb  9 14:24:46 2011
  ProcEnviron:
   PATH=(custom, user)
   LANG=de_DE.utf8
   SHELL=/bin/bash
  SourcePackage: krb5

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/715765/+subscriptions

More information about the foundations-bugs mailing list