[Bug 1003369] [NEW] kinit can't change expired password with kerberos pre-authentication enabled
Jose Plans
1003369 at bugs.launchpad.net
Wed May 23 11:37:56 UTC 2012
Public bug reported:
Problem description:
The kinit command does not prompt for a password change when pre-
authentication is enabled and the password is marked as expired in ADS,
instead it falls back with an error:
kinit: Generic preauthentication failure while getting initial
credentials.
If the users defined in ADS do not have pre-authentication, then we are
correctly prompted to change the password.
This affects Ubuntu Precise LTS
$ lsb_release -rd
Description: Ubuntu 12.04 LTS
Release: 12.04
How to reproduce:
1. Setup a Microsoft ADS and configure a user with pre-authentication enabled.
2. Expire its password.
3. In Ubuntu Precise, request a ticket:
$ kinit
Expected results:
A password change should be prompted as follows:
$ kinit
Password for user at KRB.DOMAIN:
Password expired. You must change it now.
Enter new password:
Actual results:
$ kinit
Password for user at KRB.DOMAIN:
kinit: Generic preauthentication failure while getting initial credentials
Tested the upstream patch with both 2008/2003 ADS and works as expected.
This has been reported upstream fixed both:
- In Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670457
- Upstream: http://src.mit.edu/fisheye/changelog/krb5?cs=25822
** Affects: krb5 (Ubuntu)
Importance: High
Status: New
** Changed in: krb5 (Ubuntu)
Importance: Medium => High
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1003369
Title:
kinit can't change expired password with kerberos pre-authentication
enabled
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1003369/+subscriptions
More information about the Ubuntu-server-bugs
mailing list