From b97ff3d8e4636e46a8d9be10d935d73e56e56f1b Mon Sep 17 00:00:00 2001 From: Aurélien Bompard Date: Jul 08 2022 09:02:18 +0000 Subject: Add kpasswd_server to the Kerberos configuration According to [the KdcProxy docs](https://github.com/latchset/kdcproxy#configuring-a-client-for-kdcproxy), the configuration should have a `kpasswd_server` entry. It will enable the necessary password change flow for users with an expired password, and prevent issues such as [noggin #895](https://github.com/fedora-infra/noggin/issues/895). Without this value: ``` $ kinit -T FILE:/tmp/armor.ccache abompard@STG.FEDORAPROJECT.ORG Enter OTP Token Value: [password+OTP] Password expired. You must change it now. Enter new password: [new password] Enter it again: [new password] kinit: Cannot find KDC for realm "STG.FEDORAPROJECT.ORG" while getting initial credentials ``` With this value: ``` $ kinit -T FILE:$HOME/armor.ccache abompard@STG.FEDORAPROJECT.ORG Enter OTP Token Value: [password+OTP] Password expired. You must change it now. Enter new password: [new password] Enter it again: [new password] Enter OTP Token Value: [password+OTP] ``` Signed-off-by: Aurélien Bompard --- diff --git a/krb-configs/fedoraproject_org b/krb-configs/fedoraproject_org index 4f2dd10..d449804 100644 --- a/krb-configs/fedoraproject_org +++ b/krb-configs/fedoraproject_org @@ -1,6 +1,7 @@ [realms] FEDORAPROJECT.ORG = { kdc = https://id.fedoraproject.org/KdcProxy + kpasswd_server = https://id.fedoraproject.org/KdcProxy pkinit_anchors = FILE:/etc/pki/ipa/fedoraproject_ipa_ca.crt } [domain_realm] diff --git a/krb-configs/stg_fedoraproject_org b/krb-configs/stg_fedoraproject_org index 940422e..71e3ac0 100644 --- a/krb-configs/stg_fedoraproject_org +++ b/krb-configs/stg_fedoraproject_org @@ -1,6 +1,7 @@ [realms] STG.FEDORAPROJECT.ORG = { kdc = https://id.stg.fedoraproject.org/KdcProxy + kpasswd_server = https://id.stg.fedoraproject.org/KdcProxy pkinit_anchors = FILE:/etc/pki/ipa/stg_fedoraproject_ipa_ca.crt } [domain_realm]