1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • Force to change password for users

    From Carlos Lopez@21:1/5 to All on Fri Apr 19 12:06:05 2024
    Hi all,

    I have installed a new Kerberos server under RHEL9. All it is working ok, except when I try to create users. All users are created with "+needchange" flag enabled to force to the user to change own password.

    At first user login, kerberos server reports password has expired:

    2024-04-19T08:38:20.946335+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-
    hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: REQUIRED PWCHANGE: user1@MYDOM.ORG for krbtgt/MYDOM.ORG@MYDOM.ORG, Password has expired
    2024-04-19T08:38:20.946413+00:00 rhelidmsrv01 krb5kdc[21392]: closing down fd 13
    2024-04-19T08:38:20.946712+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-
    hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: NEEDED_PREAUTH: user1@MYDOM.ORG for kadmin/changepw@MYDOM.ORG, Additional pre-authentication required
    2024-04-19T08:38:20.946747+00:00 rhelidmsrv01 krb5kdc[21392]: closing down fd 13
    2024-04-19T08:38:20.950691+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-
    hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: ISSUE: authtime 1713515900, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha1-96(18)}, user1@MYDOM.ORG for kadmin/changepw@
    MYDOM.ORG

    But in the client side, user can login without problems and no password change is requested.

    Any idea? maybe do I need to reconfigure something in sever side?

    Best regards,
    C. L. Martinez

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Greg Hudson@21:1/5 to Carlos Lopez on Fri Apr 19 12:27:18 2024
    To: kerberos@mit.edu (kerberos@mit.edu)

    On 4/19/24 08:06, Carlos Lopez wrote:
    [...] AS_REQ [...] REQUIRED PWCHANGE: user1@MYDOM.ORG for krbtgt/MYDOM.ORG@MYDOM.ORG, Password has expired
    [...] AS_REQ [...] NEEDED_PREAUTH: user1@MYDOM.ORG for kadmin/changepw@MYDOM.ORG, Additional pre-authentication required
    [...] AS_REQ [...] ISSUE: [...] user1@MYDOM.ORG for kadmin/changepw@MYDOM.ORG

    But in the client side, user can login without problems and no password change is requested.

    These are the messages I would expect in the log, including user1
    getting a ticket to perform a password change.

    You say the user can log in. Do they have tickets, or do you just mean
    a login session is authorized based on the Kerberos interaction? What client-side software is being used?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Carlos Lopez@21:1/5 to Greg Hudson on Fri Apr 19 17:06:10 2024
    To: kerberos@mit.edu (kerberos@mit.edu)

    User acquires kerberos ticket and login session is authorized. This log is for a ssh access ...

    Best regards,
    C. L. Martinez

    ________________________________________
    From: Greg Hudson <ghudson@mit.edu>
    Sent: 19 April 2024 18:27
    To: Carlos Lopez; kerberos@mit.edu
    Subject: Re: Force to change password for users

    On 4/19/24 08:06, Carlos Lopez wrote:
    [...] AS_REQ [...] REQUIRED PWCHANGE: user1@MYDOM.ORG for krbtgt/MYDOM.ORG@MYDOM.ORG, Password has expired
    [...] AS_REQ [...] NEEDED_PREAUTH: user1@MYDOM.ORG for kadmin/changepw@MYDOM.ORG, Additional pre-authentication required
    [...] AS_REQ [...] ISSUE: [...] user1@MYDOM.ORG for kadmin/changepw@MYDOM.ORG

    But in the client side, user can login without problems and no password change is requested.

    These are the messages I would expect in the log, including user1
    getting a ticket to perform a password change.

    You say the user can log in. Do they have tickets, or do you just mean
    a login session is authorized based on the Kerberos interaction? What client-side software is being used?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ken Hornstein@21:1/5 to Carlos Lopez on Fri Apr 19 13:34:32 2024
    Copy: ghudson@mit.edu (Greg Hudson)
    Copy: kerberos@mit.edu (kerberos@mit.edu)

    User acquires kerberos ticket and login session is authorized. This log
    is for a ssh access ...

    I think you're missing some of the details that Greg is asking. When you
    say "ssh access", do you mean that you are using gssapi-with-mic or gssapi-keyex authentication with ssh, or does ssh ask for the user's
    Kerberos password? If the latter, ssh does not have that native ability,
    so it it going through the PAM stack to make that happen? If so, which
    PAM module are you using?

    --Ken

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)