Hi,
We are experiencing the same behavior on Samba AD DC 4.15.5, we are going to
report a bug on bugzilla.samba.org as you suggested.
Thanks again.
Lic. Mateo Duffour
Unidad Informática
2901.40.91
[
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
| 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
[ http://www.fnr.gub.uy/ | ]
No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y
la información adjunta al mismo está dirigido exclusivamente a su destinatario.
Puede contener información confidencial, privilegiada o de uso restringido,
protegida por las normas. Si Ud. recibió este e-mail por error, por favor,
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro
uso del e-mail por Ud. está prohibido.
From: "Alexander Bokovoy" <aboko...@redhat.com>
To: "Mateo Duffour" <mduff...@fnr.gub.uy>
Cc: "Sumit Bose" <sb...@redhat.com>, "freeipa-users"
<freeipa-users@lists.fedorahosted.org>, "tizo" <tiz...@gmail.com>
Sent: Friday, 11 March, 2022 15:03:58
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC -
User accounts with passwords expired
On pe, 11 maalis 2022, Mateo Duffour wrote:
Hi,
We installed Samba AD DC from this repo [
https://samba.tranquil.it/redhat8/samba-4.14.10/ |
https://samba.tranquil.it/redhat8/samba-4.14.10/ ] Its running over
Roky Linux and it's on a trust relationship with IdM.
Thanks. So this is a build with embedded Heimdal Kerberos version and a
relatively old one.
This sounds like a bug worth opening Samba upstream. There is nothing
specific to FreeIPA in this communication, though. What happens is that
a Kerberos client (in this case kpasswd) attempts to change a password
and fails when expecting a response on Kerberos level from Samba AD DC.
It may be mix of expectations between kpasswd from MIT Kerberos (on
Rocky) and Heimdal (embedded in Samba AD DC), but to fix it you'd need
to talk to Samba AD developers.
Please open a bug at bugzilla.samba.org, attach this capture and
kpasswd trace logs. Also please provide details to what Samba build is
this in the bug report.
Prior doing that, may be try an upgrade to Samba 4.15.5 which is
available in the same repositories from Tranquil IT.
(https://samba.tranquil.it/redhat8/).
BQ_BEGIN
Regards,
Lic. Mateo Duffour
Unidad Informática
2901.40.91
[
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
| 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
[ http://www.fnr.gub.uy/ | ]
No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y
la información adjunta al mismo está dirigido exclusivamente a su destinatario.
Puede contener información confidencial, privilegiada o de uso restringido,
protegida por las normas. Si Ud. recibió este e-mail por error, por favor,
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro
uso del e-mail por Ud. está prohibido.
From: "Alexander Bokovoy" <aboko...@redhat.com>
To: "Mateo Duffour" <mduff...@fnr.gub.uy>
Cc: "Sumit Bose" <sb...@redhat.com>, "freeipa-users"
<freeipa-users@lists.fedorahosted.org>, "tizo" <tiz...@gmail.com>
Sent: Friday, 11 March, 2022 14:07:58
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC -
User accounts with passwords expired
On pe, 11 maalis 2022, Mateo Duffour wrote:
Hi,
I've send the network capture attached, it was made with tcpdump in the
IdM server to the Samba AD DC server, while trying to log in with ssh
with user5.
Hi,
can you give more details about this Samba AD DC installation? What
Samba version is that? How was it built?
BQ_BEGIN
Regards,
Lic. Mateo Duffour
Unidad Informática
2901.40.91
[
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
| 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
[ http://www.fnr.gub.uy/ | ]
No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y
la información adjunta al mismo está dirigido exclusivamente a su destinatario.
Puede contener información confidencial, privilegiada o de uso restringido,
protegida por las normas. Si Ud. recibió este e-mail por error, por favor,
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro
uso del e-mail por Ud. está prohibido.
From: "tizo" <tiz...@gmail.com>
To: "freeipa-users" <freeipa-users@lists.fedorahosted.org>
Cc: "Mateo Duffour" <mduff...@fnr.gub.uy>, "Alexander Bokovoy"
<aboko...@redhat.com>, "Sumit Bose" <sb...@redhat.com>
Sent: Friday, 11 March, 2022 11:38:50
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC -
User accounts with passwords expired
Hi,
this is still the same pattern. Would it be possible to get a network
trace to better understand how the KDC reply looks like and what might
not be as expected by libkrb5?
Additionally, can you try to set the password for the user with the
expired password with
KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST.....
and send the output?
bye,
Sumit
Hi there. I work with Mateo. We are sending the network capture in some
minutes, but to get ahead I am sending the other test:
# KRB5_TRACE=/dev/stdout kpasswd u...@adtest.xxx.xxx.xx
[47521] 1647008539.753136: Getting initial credentials for
u...@adtest.xxx.xxx.xx
[47521] 1647008539.753137: FAST armor ccache: KCM:0:84390
[47521] 1647008539.753138: Retrieving
host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx ->
krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF:
from KCM:0:84390 with result: -1765328243/Matching credential not found
[47521] 1647008539.753139: Setting initial creds service to kadmin/changepw
[47521] 1647008539.753140: FAST armor ccache: KCM:0:84390
[47521] 1647008539.753141: Retrieving
host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx ->
krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF:
from KCM:0:84390 with result: -1765328243/Matching credential not found
[47521] 1647008539.753143: Sending unauthenticated request
[47521] 1647008539.753144: Sending request (179 bytes) to ADTEST.XXX.XXX.XX
[47521] 1647008539.753145: Initiating TCP connection to stream [
http://10.2.100.4:88/ | 10.2.100.4:88 ]
[47521] 1647008540.776855: Initiating TCP connection to stream [
http://10.2.100.3:88/ | 10.2.100.3:88 ]
[47521] 1647008540.776856: Sending TCP request to stream [
http://10.2.100.3:88/ | 10.2.100.3:88 ]
[47521] 1647008540.776857: Received answer (278 bytes) from stream [
http://10.2.100.3:88/ | 10.2.100.3:88 ]
[47521] 1647008540.776858: Terminating TCP connection to stream [
http://10.2.100.4:88/ | 10.2.100.4:88 ]
[47521] 1647008540.776859: Terminating TCP connection to stream [
http://10.2.100.3:88/ | 10.2.100.3:88 ]
[47521] 1647008540.776860: Response was from master KDC
[47521] 1647008540.776861: Received error from KDC: -1765328359/Additional
pre-authentication required
[47521] 1647008540.776864: Preauthenticating using KDC method data
[47521] 1647008540.776865: Processing preauth types: PA-PK-AS-REQ (16),
PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (19)
[47521] 1647008540.776866: Selected etype info: etype aes256-cts, salt
"ADTEST.XXX.XXX.XXusu5", params "\x00\x00\x10\x00"
[47521] 1647008540.776867: PKINIT client has no configured identity; giving up
[47521] 1647008540.776868: PKINIT client has no configured identity; giving up
[47521] 1647008540.776869: Preauth module pkinit (16) (real) returned:
22/Invalid argument
Password for u...@adtest.xxx.xxx.xx:
[47521] 1647008555.456745: AS key obtained for encrypted timestamp:
aes256-cts/0DAE
[47521] 1647008555.456747: Encrypted timestamp (for 1647008555.462202): plain
301AA011180F32303232303331313134323233355AA1050203070D7A, encrypted
588F164716268F95639456AEE7589886245643006D4F7B630289E1E745736D8B9037356B398C63F122292C02AAB12E25883A00C2E266E84C
[47521] 1647008555.456748: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[47521] 1647008555.456749: Produced preauth for next request: PA-ENC-TIMESTAMP
(2)
[47521] 1647008555.456750: Sending request (257 bytes) to ADTEST.XXX.XXX.XX
[47521] 1647008555.456751: Initiating TCP connection to stream [
http://10.2.100.4:88/ | 10.2.100.4:88 ]
[47521] 1647008556.458248: Initiating TCP connection to stream [
http://10.2.100.3:88/ | 10.2.100.3:88 ]
[47521] 1647008556.458249: Sending TCP request to stream [
http://10.2.100.3:88/ | 10.2.100.3:88 ]
[47521] 1647008556.458250: Received answer (1438 bytes) from stream [
http://10.2.100.3:88/ | 10.2.100.3:88 ]
[47521] 1647008556.458251: Terminating TCP connection to stream [
http://10.2.100.4:88/ | 10.2.100.4:88 ]
[47521] 1647008556.458252: Terminating TCP connection to stream [
http://10.2.100.3:88/ | 10.2.100.3:88 ]
[47521] 1647008556.458253: Response was from master KDC
[47521] 1647008556.458254: Processing preauth types: PA-PW-SALT (3)
[47521] 1647008556.458255: Received salt "ADTEST.XXX.XXX.XXusu5" via padata
type PA-PW-SALT (3)
[47521] 1647008556.458256: Produced preauth for next request: (empty)
[47521] 1647008556.458257: AS key determined by preauth: aes256-cts/0DAE
[47521] 1647008556.458258: Decrypted AS reply; session key is: aes256-cts/35D9
[47521] 1647008556.458259: FAST negotiation: unavailable
kpasswd: KDC reply did not match expectations getting initial ticket
FYI, I have tried the same test with a user WITHOUT expired password, and it
does not work either, and the log is exactly the same. Indeed, when I log in
with ssh with this user, I cannot change the password too:
$ passwd
Changing password for user u...@adtest.xxx.xx.xx.
Current Password:
Password change failed. Server message: Old password not accepted.
passwd: Authentication token manipulation error
Thanks very much.
BQ_END
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
BQ_END
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
