[Bug 1004465] Re: heimdal and mit kinit doesn't handle expired credentials

Sun Jul 29 04:43:50 UTC 2012

mit kinit has been fixed here:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/988520

** Changed in: krb5 (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1004465

Title:
  heimdal and mit kinit doesn't handle expired credentials

Status in “heimdal” package in Ubuntu:
  Confirmed
Status in “krb5” package in Ubuntu:
  Fix Released
Status in “heimdal” package in Debian:
  New

Bug description:
  Hi.

  ubuntu 12.04 i386,amd64

  For now kerberos (both - mit and heimdal) kinit doesn't handle expired (or 'must change') passwords. That's a serious regression (lucid is fine) - no integration (pam) into kerberos environments that use password expiration could be done. Tested with heimdal kdc (file and ldap db) and win2008r2 kdc on several machines. This bug stops us from migrating to the next LTS in our environment. Thinking it should be fixed.
  Heimdal KDC logs are in the attachment. What I can see in these logs is that lucid heimdal kinit doesn't send REQ-ENC-PA-REP patype while precise kinits send. May this be the reason? If more info is needed please just ask.

  How to reproduce:

  # apt-get -y install heimdal-kdc
  # cat > /etc/krb5.conf
  [libdefaults]
  	default_realm = TEST.LAN

  [realms]
  	TEST.LAN = {
  	    kdc=127.0.0.1
  	}

  # kadmin -l init TEST.LAN
  # kadmin -l add test
  Max ticket life [1 day]:
  Max renewable life [1 week]:
  Principal expiration time [never]:
  Password expiration time [never]:2000-01-01     # Set expiration time to the past
  Attributes []:
  Policy [default]:
  test at TEST.LAN's Password: 
  Verify password - test at TEST.LAN's Password:

  # apt-get -y install heimdal-clients
  # dpkg -l |grep heimdal-clients
  ii  heimdal-clients                  1.6~git20120311.dfsg.1-2   Heimdal Kerberos - clients
  # kinit --version
  kinit (Heimdal 1.5.99)
  Copyright 1995-2011 Kungliga Tekniska Högskolan
  Send bug-reports to heimdal-bugs at h5l.org
  # kinit test
  test at TEST.LAN's Password: 
  kinit: krb5_get_init_creds: Password has expired

  And no asking for changing password.

  # apt-get -y install krb5-user
  # dpkg -l |grep krb5-user
  ii  krb5-user                       1.10+dfsg~beta1-2            Basic programs to authenticate using MIT Kerberos
  # kinit test
  Password for test at TEST.LAN: 
  kinit: Generic preauthentication failure while getting initial credentials

  And no asking for changing password again.
  But kpasswd works fine (heimdal & mit):
  # kpasswd test
  test at TEST.LAN's Password: 
  Your password will expire at Tue Jan  2 02:59:59 2000

  New password for test at TEST.LAN: 
  Verify password - New password for test at TEST.LAN: 
  Success : Password changed

  The same time all works fine with ubuntu 10.04 heimdal (1.2) and
  freebsd 9.0 heimdal (1.1) (kdc is still from ubuntu 12.04), it does
  change password if it's required.

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1004465/+subscriptions