1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • Force to change password for users

    From Carlos Lopez@21:1/5 to All on Fri Apr 19 12:06:05 2024
    Hi all,

    I have installed a new Kerberos server under RHEL9. All it is working ok, except when I try to create users. All users are created with "+needchange" flag enabled to force to the user to change own password.

    At first user login, kerberos server reports password has expired:

    2024-04-19T08:38:20.946335+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-
    hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: REQUIRED PWCHANGE: [email protected] for krbtgt/[email protected], Password has expired
    2024-04-19T08:38:20.946413+00:00 rhelidmsrv01 krb5kdc[21392]: closing down fd 13
    2024-04-19T08:38:20.946712+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-
    hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional pre-authentication required
    2024-04-19T08:38:20.946747+00:00 rhelidmsrv01 krb5kdc[21392]: closing down fd 13
    2024-04-19T08:38:20.950691+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-
    hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: ISSUE: authtime 1713515900, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha1-96(18)}, [email protected] for kadmin/changepw@
    MYDOM.ORG

    But in the client side, user can login without problems and no password change is requested.

    Any idea? maybe do I need to reconfigure something in sever side?

    Best regards,
    C. L. Martinez

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Greg Hudson@21:1/5 to Carlos Lopez on Fri Apr 19 12:27:18 2024
    To: [email protected] ([email protected])

    On 4/19/24 08:06, Carlos Lopez wrote:
    [...] AS_REQ [...] REQUIRED PWCHANGE: [email protected] for krbtgt/[email protected], Password has expired
    [...] AS_REQ [...] NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional pre-authentication required
    [...] AS_REQ [...] ISSUE: [...] [email protected] for kadmin/[email protected]

    But in the client side, user can login without problems and no password change is requested.

    These are the messages I would expect in the log, including user1
    getting a ticket to perform a password change.

    You say the user can log in. Do they have tickets, or do you just mean
    a login session is authorized based on the Kerberos interaction? What client-side software is being used?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Carlos Lopez@21:1/5 to Greg Hudson on Fri Apr 19 17:06:10 2024
    To: [email protected] ([email protected])

    User acquires kerberos ticket and login session is authorized. This log is for a ssh access ...

    Best regards,
    C. L. Martinez

    ________________________________________
    From: Greg Hudson <[email protected]>
    Sent: 19 April 2024 18:27
    To: Carlos Lopez; [email protected]
    Subject: Re: Force to change password for users

    On 4/19/24 08:06, Carlos Lopez wrote:
    [...] AS_REQ [...] REQUIRED PWCHANGE: [email protected] for krbtgt/[email protected], Password has expired
    [...] AS_REQ [...] NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional pre-authentication required
    [...] AS_REQ [...] ISSUE: [...] [email protected] for kadmin/[email protected]

    But in the client side, user can login without problems and no password change is requested.

    These are the messages I would expect in the log, including user1
    getting a ticket to perform a password change.

    You say the user can log in. Do they have tickets, or do you just mean
    a login session is authorized based on the Kerberos interaction? What client-side software is being used?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ken Hornstein@21:1/5 to Carlos Lopez on Fri Apr 19 13:34:32 2024
    Copy: [email protected] (Greg Hudson)
    Copy: [email protected] ([email protected])

    User acquires kerberos ticket and login session is authorized. This log
    is for a ssh access ...

    I think you're missing some of the details that Greg is asking. When you
    say "ssh access", do you mean that you are using gssapi-with-mic or gssapi-keyex authentication with ssh, or does ssh ask for the user's
    Kerberos password? If the latter, ssh does not have that native ability,
    so it it going through the PAM stack to make that happen? If so, which
    PAM module are you using?

    --Ken

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)