If you are still affected by this issue on 12.04 or 14.40, please reply in this bug and we can consider it for SRU.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1004465 Title: heimdal and mit kinit doesn't handle expired credentials Status in heimdal package in Ubuntu: Fix Released Status in krb5 package in Ubuntu: Fix Released Status in heimdal package in Debian: Fix Released Bug description: Hi. ubuntu 12.04 i386,amd64 For now kerberos (both - mit and heimdal) kinit doesn't handle expired (or 'must change') passwords. That's a serious regression (lucid is fine) - no integration (pam) into kerberos environments that use password expiration could be done. Tested with heimdal kdc (file and ldap db) and win2008r2 kdc on several machines. This bug stops us from migrating to the next LTS in our environment. Thinking it should be fixed. Heimdal KDC logs are in the attachment. What I can see in these logs is that lucid heimdal kinit doesn't send REQ-ENC-PA-REP patype while precise kinits send. May this be the reason? If more info is needed please just ask. How to reproduce: # apt-get -y install heimdal-kdc # cat > /etc/krb5.conf [libdefaults] default_realm = TEST.LAN [realms] TEST.LAN = { kdc=127.0.0.1 } # kadmin -l init TEST.LAN # kadmin -l add test Max ticket life [1 day]: Max renewable life [1 week]: Principal expiration time [never]: Password expiration time [never]:2000-01-01 # Set expiration time to the past Attributes []: Policy [default]: t...@test.lan's Password: Verify password - t...@test.lan's Password: # apt-get -y install heimdal-clients # dpkg -l |grep heimdal-clients ii heimdal-clients 1.6~git20120311.dfsg.1-2 Heimdal Kerberos - clients # kinit --version kinit (Heimdal 1.5.99) Copyright 1995-2011 Kungliga Tekniska Högskolan Send bug-reports to heimdal-b...@h5l.org # kinit test t...@test.lan's Password: kinit: krb5_get_init_creds: Password has expired And no asking for changing password. # apt-get -y install krb5-user # dpkg -l |grep krb5-user ii krb5-user 1.10+dfsg~beta1-2 Basic programs to authenticate using MIT Kerberos # kinit test Password for t...@test.lan: kinit: Generic preauthentication failure while getting initial credentials And no asking for changing password again. But kpasswd works fine (heimdal & mit): # kpasswd test t...@test.lan's Password: Your password will expire at Tue Jan 2 02:59:59 2000 New password for t...@test.lan: Verify password - New password for t...@test.lan: Success : Password changed The same time all works fine with ubuntu 10.04 heimdal (1.2) and freebsd 9.0 heimdal (1.1) (kdc is still from ubuntu 12.04), it does change password if it's required. Thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1004465/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
