#8797 kinit: Password incorrect while getting initial credentials
Closed: Fixed 2 months ago by kevin. Opened 2 months ago by pauld.

Could you look at why when I do:
$ kinit pauld@FEDORAPROJECT.ORG
I get:
kinit: Password incorrect while getting initial credentials

On the fedora-devel mailing list, we suggested that maybe I used forgotten-password to set my password and need to use change password in the web interface. But I wanted to send you info on what happen to document it before I try to change password in the web page.

So with debug info that give:
[paul@localhost ~]$ KRB5_TRACE=/dev/stdout kinit pauld@FEDORAPROJECT.ORG
[14948] 1585600301.789712: Getting initial credentials for pauld@FEDORAPROJECT.ORG
[14948] 1585600301.789714: Sending unauthenticated request
[14948] 1585600301.789715: Sending request (208 bytes) to FEDORAPROJECT.ORG
[14948] 1585600301.789716: Resolving hostname id.fedoraproject.org
[14948] 1585600301.789717: TLS certificate name matched "id.fedoraproject.org"
[14948] 1585600301.789718: Sending HTTPS request to https 209.132.190.2:443
[14948] 1585600302.217356: Received answer (317 bytes) from https 209.132.190.2:443
[14948] 1585600302.217357: Terminating TCP connection to https 209.132.190.2:443
[14948] 1585600302.217358: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG.
[14948] 1585600302.217359: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/"
[14948] 1585600302.217360: Response was from master KDC
[14948] 1585600302.217361: Received error from KDC: -1765328359/Additional pre-authentication required
[14948] 1585600302.217364: Preauthenticating using KDC method data
[14948] 1585600302.217365: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE (133)
[14948] 1585600302.217366: Selected etype info: etype aes256-cts, salt "8!$`SL%>!#>{@XL-", params ""
[14948] 1585600302.217367: Received cookie: MIT
Password for pauld@FEDORAPROJECT.ORG:
[14948] 1585600307.224409: AS key obtained for encrypted timestamp: aes256-cts/04E6
[14948] 1585600307.224411: Encrypted timestamp (for 1585600307.148369): plain 301AA011180F32303230303333303230333134375AA1050203024391, encrypted AA53AF5D5EC817B3335E4AB6F831E874F68B2839743259832E4EE62638D3B2377D41E04358B589C33732738CAF99D792E57CDCD9626C9C2E
[14948] 1585600307.224412: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[14948] 1585600307.224413: Produced preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)
[14948] 1585600307.224414: Sending request (303 bytes) to FEDORAPROJECT.ORG
[14948] 1585600307.224415: Resolving hostname id.fedoraproject.org
[14948] 1585600307.224416: TLS certificate name matched "id.fedoraproject.org"
[14948] 1585600307.224417: Sending HTTPS request to https 8.43.85.67:443
[14948] 1585600307.224418: Received answer (317 bytes) from https 8.43.85.67:443
[14948] 1585600307.224419: Terminating TCP connection to https 8.43.85.67:443
[14948] 1585600307.224420: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG.
[14948] 1585600307.224421: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/"
[14948] 1585600307.224422: Response was from master KDC
[14948] 1585600307.224423: Received error from KDC: -1765328360/Preauthentication failed
kinit: Password incorrect while getting initial credentials
[paul@localhost ~]$


I would like that done by 2020/04/07.


Ok, I did change my password in the web interface of FAS, and it works now:
[paul@localhost ~]$ KRB5_TRACE=/dev/stdout kinit pauld@FEDORAPROJECT.ORG
[15307] 1585601613.137422: Getting initial credentials for pauld@FEDORAPROJECT.ORG
[15307] 1585601613.137424: Sending unauthenticated request
[15307] 1585601613.137425: Sending request (208 bytes) to FEDORAPROJECT.ORG
[15307] 1585601613.137426: Resolving hostname id.fedoraproject.org
[15307] 1585601613.137427: TLS certificate name matched "id.fedoraproject.org"
[15307] 1585601613.137428: Sending HTTPS request to https 152.19.134.198:443
[15307] 1585601613.137429: Received answer (317 bytes) from https 152.19.134.198:443
[15307] 1585601613.137430: Terminating TCP connection to https 152.19.134.198:443
[15307] 1585601613.137431: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG.
[15307] 1585601613.137432: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/"
[15307] 1585601613.137433: Response was from master KDC
[15307] 1585601613.137434: Received error from KDC: -1765328359/Additional pre-authentication required
[15307] 1585601613.137437: Preauthenticating using KDC method data
[15307] 1585601613.137438: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE (133)
[15307] 1585601613.137439: Selected etype info: etype aes256-cts, salt "K|Jn8 MlR&w%<,z", params "" [15307] 1585601613.137440: Received cookie: MIT Password for pauld@FEDORAPROJECT.ORG: [15307] 1585601619.922813: AS key obtained for encrypted timestamp: aes256-cts/1D27 [15307] 1585601619.922815: Encrypted timestamp (for 1585601620.341063): plain 301AA011180F32303230303333303230353334305AA1050203053447, encrypted 35A2FEF7CEFDA842DAB5572A4F67545916F5FBCB75B2A66EA6C507C31CCE5F1373E3DDDE4F14282F7D347BFD38AF9AD4B006DFEAFC33AF3A [15307] 1585601619.922816: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [15307] 1585601619.922817: Produced preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2) [15307] 1585601619.922818: Sending request (303 bytes) to FEDORAPROJECT.ORG [15307] 1585601619.922819: Resolving hostname id.fedoraproject.org [15307] 1585601620.43413: TLS certificate name matched "id.fedoraproject.org" [15307] 1585601620.43414: Sending HTTPS request to https 8.43.85.73:443 [15307] 1585601620.43415: Received answer (785 bytes) from https 8.43.85.73:443 [15307] 1585601620.43416: Terminating TCP connection to https 8.43.85.73:443 [15307] 1585601620.43417: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG. [15307] 1585601620.43418: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/" [15307] 1585601620.43419: Response was from master KDC [15307] 1585601620.43420: Processing preauth types: PA-ETYPE-INFO2 (19) [15307] 1585601620.43421: Selected etype info: etype aes256-cts, salt "K|Jn8 MlR&w%<,z", params ""
[15307] 1585601620.43422: Produced preauth for next request: (empty)
[15307] 1585601620.43423: AS key determined by preauth: aes256-cts/1D27
[15307] 1585601620.43424: Decrypted AS reply; session key is: aes256-cts/9A3F
[15307] 1585601620.43425: FAST negotiation: available
[15307] 1585601620.43426: Initializing KCM:1000 with default princ pauld@FEDORAPROJECT.ORG
[15307] 1585601620.43427: Storing pauld@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG in KCM:1000
[15307] 1585601620.43428: Storing config in KCM:1000 for krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG: fast_avail: yes
[15307] 1585601620.43429: Storing pauld@FEDORAPROJECT.ORG -> krb5_ccache_conf_data/fast_avail/krbtgt\/FEDORAPROJECT.ORG\@FEDORAPROJECT.ORG@X-CACHECONF: in KCM:1000
[15307] 1585601620.43430: Storing config in KCM:1000 for krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG: pa_type: 2
[15307] 1585601620.43431: Storing pauld@FEDORAPROJECT.ORG -> krb5_ccache_conf_data/pa_type/krbtgt\/FEDORAPROJECT.ORG\@FEDORAPROJECT.ORG@X-CACHECONF: in KCM:1000
[paul@localhost ~]$

I don't know if you can do something about people that did change be forgot their password...
So leaving open to let you look at it.

We are actually well along the way to re--writing our account system... the new one will not have this issue.

Unfortunately the way the current one is setup has this limitation. :(

Glad you got it working.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 months ago

Login to comment on this ticket.

Metadata