samba3upgrade migration results, issues, questions

Sergey Urushkin urushkin at telros.ru
Tue May 15 12:30:01 MDT 2012 


Sergey Urushkin писал 07.05.2012 16:17:

>>> > The big domain problem I've mentioned in my previous message is 
>>> that if
>>> > account's password expires (pwdlastset attr), it is not asked to 
>>> change
>>> > account's password via kinit and this is _not_ normal, because 
>>> password
>>> > has expired only, not account.
>>>
>>> I still need to investigate this.
> Will hopefully wait for results, please let me know about it.

Hi, Andrew.
Seems I found some info about this issue. It's  related to heimdal 
kinit. This issue appears with kinit version > 1.2.
I've tried to kinit (empty krb5.conf) expired-password-account using 
ubuntu's 12.04 version 1.5.99 (1.6~git20120311) talking to samba4 kdc 
and heimdal kdc 1.5.99 (1.6~git20120311) and got this issue. I haven't 
got this issue with ubuntu's 10.04 version 1.2 talking to samba4 kdc 
(same) and freebsd's 9.0 version 1.1 talking to heimdal kdc (same).
I feel this issue seems to be an off-topic for this list (more for 
heimdal), but I would be very thankful if you give me some advice about 
it.

Here are samba and heimdal logs when kinit with expired password. What 
I found is that new version of kinit sends additional REQ-ENC-PA-REP 
data to kdc, but I may be wrong.

NO SUCCESS on ubuntu 12.04 (samba and heimdal):
$ kinit --version
kinit (Heimdal 1.5.99)
Copyright 1995-2011 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs at h5l.org

SAMBA:
$ kinit test
test at REALM.LAN's Password:
kinit: krb5_get_init_creds: No ENC-TS found

[2012/05/15 21:20:28,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ test at REALM.LAN from ipv4:192.168.101.10:42307 for 
krbtgt/REALM.LAN at REALM.LAN
[2012/05/15 21:20:28,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client sent patypes: 149
[2012/05/15 21:20:28,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for PKINIT pa-data -- test at REALM.LAN
[2012/05/15 21:20:28,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for ENC-TS pa-data -- test at REALM.LAN
[2012/05/15 21:20:28,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
test at REALM.LAN
[2012/05/15 21:20:28,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ test at REALM.LAN from ipv4:192.168.101.10:48196 for 
krbtgt/REALM.LAN at REALM.LAN
[2012/05/15 21:20:28,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client sent patypes: encrypted-timestamp, 149
[2012/05/15 21:20:28,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for PKINIT pa-data -- test at REALM.LAN
[2012/05/15 21:20:28,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for ENC-TS pa-data -- test at REALM.LAN
[2012/05/15 21:20:28,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: ENC-TS Pre-authentication succeeded -- test at REALM.LAN using 
arcfour-hmac-md5
[2012/05/15 21:20:28,  2] ../source4/auth/sam.c:214(authsam_account_ok)
   sam_account_ok: Account for user 'test at REALM.LAN' password expired!.
[2012/05/15 21:20:28,  2] ../source4/auth/sam.c:216(authsam_account_ok)
   sam_account_ok: Password expired at 'Thu Jan  1 03:00:00 1970 MSK' 
unix time.

HEIMDAL:
$ kinit test
test at REALM.LAN's Password:
kinit: krb5_get_init_creds: Password has expired

2012-05-15T21:08:29 AS-REQ test at REALM.LAN from IPv4:192.168.201.56 for 
krbtgt/REALM.LAN at REALM.LAN
2012-05-15T21:08:29 Client sent patypes: REQ-ENC-PA-REP
2012-05-15T21:08:29 Looking for PK-INIT(ietf) pa-data -- test at REALM.LAN
2012-05-15T21:08:29 Looking for PK-INIT(win2k) pa-data -- 
test at REALM.LAN
2012-05-15T21:08:29 Looking for ENC-TS pa-data -- test at REALM.LAN
2012-05-15T21:08:29 Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
2012-05-15T21:08:29 sending 322 bytes to IPv4:192.168.201.56
2012-05-15T21:08:29 AS-REQ test at REALM.LAN from IPv4:192.168.201.56 for 
krbtgt/REALM.LAN at REALM.LAN
2012-05-15T21:08:29 Client sent patypes: ENC-TS, REQ-ENC-PA-REP
2012-05-15T21:08:29 Looking for PK-INIT(ietf) pa-data -- test at REALM.LAN
2012-05-15T21:08:29 Looking for PK-INIT(win2k) pa-data -- 
test at REALM.LAN
2012-05-15T21:08:29 Looking for ENC-TS pa-data -- test at REALM.LAN
2012-05-15T21:08:29 ENC-TS Pre-authentication succeeded -- 
test at REALM.LAN using des3-cbc-sha1
2012-05-15T21:08:29 ENC-TS pre-authentication succeeded -- 
test at REALM.LAN
2012-05-15T21:08:29 Client's key has expired at 2006-02-11T19:59:35 -- 
test at REALM.LAN
2012-05-15T21:08:29 sending 127 bytes to IPv4:192.168.201.56


SUCCESS with and ubuntu 10.04 (samba)
$ kinit --version
kinit (Heimdal 1.2.1)
Copyright 1995-2008 Kungliga Tekniska H�gskolan
Send bug-reports to heimdal-bugs at h5l.org

$ kinit test
test at REALM.LAN's Password:
Your password will expire at Thu Jan  1 03:00:00 1970

Changing password
New password:
Repeat new password:
Success: Password changed

[2012/05/15 21:27:01,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ test at REALM.LAN from ipv4:192.168.102.100:58502 for 
krbtgt/REALM.LAN at REALM.LAN
[2012/05/15 21:27:01,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
test at REALM.LAN
[2012/05/15 21:27:04,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ test at REALM.LAN from ipv4:192.168.102.100:54337 for 
krbtgt/REALM.LAN at REALM.LAN
[2012/05/15 21:27:04,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client sent patypes: encrypted-timestamp
[2012/05/15 21:27:04,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for PKINIT pa-data -- test at REALM.LAN
[2012/05/15 21:27:04,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for ENC-TS pa-data -- test at REALM.LAN
[2012/05/15 21:27:04,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: ENC-TS Pre-authentication succeeded -- test at REALM.LAN using 
arcfour-hmac-md5
[2012/05/15 21:27:04,  2] ../source4/auth/sam.c:214(authsam_account_ok)
   sam_account_ok: Account for user 'test at REALM.LAN' password expired!.
[2012/05/15 21:27:04,  2] ../source4/auth/sam.c:216(authsam_account_ok)
   sam_account_ok: Password expired at 'Thu Jan  1 03:00:00 1970 MSK' 
unix time.
[2012/05/15 21:27:04,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ test at REALM.LAN from ipv4:192.168.102.100:50123 for 
kadmin/changepw at REALM.LAN
[2012/05/15 21:27:04,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
test at REALM.LAN
[2012/05/15 21:27:04,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ test at REALM.LAN from ipv4:192.168.102.100:54866 for 
kadmin/changepw at REALM.LAN
[2012/05/15 21:27:04,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client sent patypes: encrypted-timestamp
[2012/05/15 21:27:04,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for PKINIT pa-data -- test at REALM.LAN
[2012/05/15 21:27:04,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for ENC-TS pa-data -- test at REALM.LAN
[2012/05/15 21:27:04,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: ENC-TS Pre-authentication succeeded -- test at REALM.LAN using 
arcfour-hmac-md5
[2012/05/15 21:27:04,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ authtime: 2012-05-15T21:27:04 starttime: unset 
endtime: 2012-05-15T21:28:04 renew till: unset
[2012/05/15 21:27:04,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, 
des-cbc-md5, des-cbc-md4, des-cbc-crc, using 
arcfour-hmac-md5/arcfour-hmac-md5
[2012/05/15 21:27:09,  3] 
../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
   Found account name from PAC: test [test]
[2012/05/15 21:27:09,  3] 
../source4/kdc/kpasswdd.c:206(kpasswdd_change_password)
   Changing password of DOM\test 
(S-1-5-21-530720856-2058831417-1202159320-1132)
[2012/05/15 21:27:10,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ test at REALM.LAN from ipv4:192.168.102.100:42159 for 
krbtgt/REALM.LAN at REALM.LAN
[2012/05/15 21:27:10,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
test at REALM.LAN
[2012/05/15 21:27:10,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ test at REALM.LAN from ipv4:192.168.102.100:47460 for 
krbtgt/REALM.LAN at REALM.LAN
[2012/05/15 21:27:10,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client sent patypes: encrypted-timestamp
[2012/05/15 21:27:10,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for PKINIT pa-data -- test at REALM.LAN
[2012/05/15 21:27:10,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for ENC-TS pa-data -- test at REALM.LAN
[2012/05/15 21:27:10,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: ENC-TS Pre-authentication succeeded -- test at REALM.LAN using 
arcfour-hmac-md5
[2012/05/15 21:27:10,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ authtime: 2012-05-15T21:27:10 starttime: unset 
endtime: 2012-05-16T07:27:01 renew till: unset
[2012/05/15 21:27:10,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, 
des-cbc-md5, des-cbc-md4, des-cbc-crc, using 
arcfour-hmac-md5/arcfour-hmac-md5
[2012/05/15 21:27:10,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Requested flags: forwardable

SUCCESS on Freebsd 9.0 (heimdal)...
# kinit --version
kinit (Heimdal 1.1.0)
Copyright 1995-2008 Kungliga Tekniska H�gskolan
Send bug-reports to heimdal-bugs at h5l.org

# kinit test
test at REALM.LAN's Password:
Your password will expire at Sat Feb 11 19:59:35 2006

Changing password
New password:
Repeat new password:
Success: Password changed

2012-05-15T21:09:49 AS-REQ test at REALM.LAN from IPv4:172.16.0.1 for 
krbtgt/REALM.LAN at REALM.LAN
2012-05-15T21:09:49 Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
2012-05-15T21:09:49 sending 322 bytes to IPv4:172.16.0.1
2012-05-15T21:09:49 AS-REQ test at REALM.LAN from IPv4:172.16.0.1 for 
krbtgt/REALM.LAN at REALM.LAN
2012-05-15T21:09:49 Client sent patypes: ENC-TS
2012-05-15T21:09:49 Looking for PK-INIT(ietf) pa-data -- test at REALM.LAN
2012-05-15T21:09:49 Looking for PK-INIT(win2k) pa-data -- 
test at REALM.LAN
2012-05-15T21:09:49 Looking for ENC-TS pa-data -- test at REALM.LAN
2012-05-15T21:09:49 ENC-TS Pre-authentication succeeded -- 
test at REALM.LAN using des3-cbc-sha1
2012-05-15T21:09:49 ENC-TS pre-authentication succeeded -- 
test at REALM.LAN
2012-05-15T21:09:49 Client's key has expired at 2006-02-11T19:59:35 -- 
test at REALM.LAN
2012-05-15T21:09:49 sending 127 bytes to IPv4:172.16.0.1
2012-05-15T21:09:49 AS-REQ test at REALM.LAN from IPv4:172.16.0.1 for 
kadmin/changepw at REALM.LAN
2012-05-15T21:09:49 Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
2012-05-15T21:09:49 sending 320 bytes to IPv4:172.16.0.1
2012-05-15T21:09:49 AS-REQ test at REALM.LAN from IPv4:172.16.0.1 for 
kadmin/changepw at REALM.LAN
2012-05-15T21:09:49 Client sent patypes: ENC-TS
2012-05-15T21:09:49 Looking for PK-INIT(ietf) pa-data -- test at REALM.LAN
2012-05-15T21:09:49 Looking for PK-INIT(win2k) pa-data -- 
test at REALM.LAN
2012-05-15T21:09:49 Looking for ENC-TS pa-data -- test at REALM.LAN
2012-05-15T21:09:49 ENC-TS Pre-authentication succeeded -- 
test at REALM.LAN using des3-cbc-sha1
2012-05-15T21:09:49 ENC-TS pre-authentication succeeded -- 
test at REALM.LAN
2012-05-15T21:09:49 AS-REQ authtime: 2012-05-15T21:09:49 starttime: 
unset endtime: 2012-05-15T21:10:49 renew till: unset
2012-05-15T21:09:49 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, 
des-cbc-md5, des-cbc-md4, des-cbc-crc, using des3-cbc-sha1/des3-cbc-sha1
2012-05-15T21:09:49 sending 681 bytes to IPv4:172.16.0.1

Thanks.

-- 
Best regards,
Sergey Urushkin

More information about the samba-technical mailing list