Public bug reported: Problem description:
The kinit command does not prompt for a password change when pre- authentication is enabled and the password is marked as expired in ADS, instead it falls back with an error: kinit: Generic preauthentication failure while getting initial credentials. If the users defined in ADS do not have pre-authentication, then we are correctly prompted to change the password. This affects Ubuntu Precise LTS $ lsb_release -rd Description: Ubuntu 12.04 LTS Release: 12.04 How to reproduce: 1. Setup a Microsoft ADS and configure a user with pre-authentication enabled. 2. Expire its password. 3. In Ubuntu Precise, request a ticket: $ kinit Expected results: A password change should be prompted as follows: $ kinit Password for user@KRB.DOMAIN: Password expired. You must change it now. Enter new password: Actual results: $ kinit Password for user@KRB.DOMAIN: kinit: Generic preauthentication failure while getting initial credentials Tested the upstream patch with both 2008/2003 ADS and works as expected. This has been reported upstream fixed both: - In Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670457 - Upstream: http://src.mit.edu/fisheye/changelog/krb5?cs=25822 ** Affects: krb5 (Ubuntu) Importance: High Status: New ** Changed in: krb5 (Ubuntu) Importance: Medium => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1003369 Title: kinit can't change expired password with kerberos pre-authentication enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1003369/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs