[Bug 1004465] Re: heimdal and mit kinit doesn't handle expired credentials

Nish Aravamudan nish.aravamudan at canonical.com
Mon Dec 19 19:03:52 UTC 2016 

If you are still affected by this issue on 12.04 or 14.40, please reply
in this bug and we can consider it for SRU.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1004465

Title:
  heimdal and mit kinit doesn't handle expired credentials

Status in heimdal package in Ubuntu:
  Fix Released
Status in krb5 package in Ubuntu:
  Fix Released
Status in heimdal package in Debian:
  Fix Released

Bug description:
  Hi.

  ubuntu 12.04 i386,amd64

  For now kerberos (both - mit and heimdal) kinit doesn't handle expired (or 'must change') passwords. That's a serious regression (lucid is fine) - no integration (pam) into kerberos environments that use password expiration could be done. Tested with heimdal kdc (file and ldap db) and win2008r2 kdc on several machines. This bug stops us from migrating to the next LTS in our environment. Thinking it should be fixed.
  Heimdal KDC logs are in the attachment. What I can see in these logs is that lucid heimdal kinit doesn't send REQ-ENC-PA-REP patype while precise kinits send. May this be the reason? If more info is needed please just ask.

  How to reproduce:

  # apt-get -y install heimdal-kdc
  # cat > /etc/krb5.conf
  [libdefaults]
  	default_realm = TEST.LAN

  [realms]
  	TEST.LAN = {
  	    kdc=127.0.0.1
  	}

  # kadmin -l init TEST.LAN
  # kadmin -l add test
  Max ticket life [1 day]:
  Max renewable life [1 week]:
  Principal expiration time [never]:
  Password expiration time [never]:2000-01-01     # Set expiration time to the past
  Attributes []:
  Policy [default]:
  test at TEST.LAN's Password: 
  Verify password - test at TEST.LAN's Password:

  # apt-get -y install heimdal-clients
  # dpkg -l |grep heimdal-clients
  ii  heimdal-clients                  1.6~git20120311.dfsg.1-2   Heimdal Kerberos - clients
  # kinit --version
  kinit (Heimdal 1.5.99)
  Copyright 1995-2011 Kungliga Tekniska Högskolan
  Send bug-reports to heimdal-bugs at h5l.org
  # kinit test
  test at TEST.LAN's Password: 
  kinit: krb5_get_init_creds: Password has expired

  And no asking for changing password.

  # apt-get -y install krb5-user
  # dpkg -l |grep krb5-user
  ii  krb5-user                       1.10+dfsg~beta1-2            Basic programs to authenticate using MIT Kerberos
  # kinit test
  Password for test at TEST.LAN: 
  kinit: Generic preauthentication failure while getting initial credentials

  And no asking for changing password again.
  But kpasswd works fine (heimdal & mit):
  # kpasswd test
  test at TEST.LAN's Password: 
  Your password will expire at Tue Jan  2 02:59:59 2000

  New password for test at TEST.LAN: 
  Verify password - New password for test at TEST.LAN: 
  Success : Password changed

  The same time all works fine with ubuntu 10.04 heimdal (1.2) and
  freebsd 9.0 heimdal (1.1) (kdc is still from ubuntu 12.04), it does
  change password if it's required.

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1004465/+subscriptions

More information about the foundations-bugs mailing list