[Bug 1003369] Re: kinit can't change expired password with kerberos pre-authentication enabled

urusha 1003369 at bugs.launchpad.net
Fri May 25 12:32:30 UTC 2012 

Hi.
Seems, I've just filled another bug report about this issue (found your report only after). It's similar to yours but also affects heimdal's kinit. Can you confirm it? Looks like for now precise contains no kerberos which could handle expired passwords.
Thanks.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1003369

Title:
  kinit can't change expired password with kerberos pre-authentication
  enabled

Status in “krb5” package in Ubuntu:
  Confirmed

Bug description:
  Problem description:

  The kinit command does not prompt for a password change when pre-
  authentication is enabled and the password is marked as expired in
  ADS, instead it falls back with an error:

   kinit: Generic preauthentication failure while getting initial
  credentials.

  If the users defined in ADS do not have pre-authentication, then we
  are correctly prompted to change the password.

  This affects Ubuntu Precise LTS
  $ lsb_release -rd
  Description:	Ubuntu 12.04 LTS
  Release:	12.04

  How to reproduce:

  1. Setup a Microsoft ADS and configure a user with pre-authentication enabled.
  2. Expire its password.
  3. In Ubuntu Precise, request a ticket:
      $ kinit

  Expected results:

  A password change should be prompted as follows:
  $ kinit
  Password for user at KRB.DOMAIN:
  Password expired. You must change it now.
  Enter new password:

  Actual results:

  $ kinit
  Password for user at KRB.DOMAIN:
  kinit: Generic preauthentication failure while getting initial credentials

  Tested the upstream patch with both 2008/2003 ADS and works as
  expected.

  This has been reported upstream fixed both:
  - In Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670457
  - Upstream: http://src.mit.edu/fisheye/changelog/krb5?cs=25822

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1003369/+subscriptions

More information about the foundations-bugs mailing list