PR#176: Add kpasswd_server to the Kerberos configuration - fedora-packager

fedora-packager

#176 Add kpasswd_server to the Kerberos configuration

Merged 2 years ago by kevin. Opened 2 years ago by abompard.

abompard/fedora-packager kpasswd-server into main

Add kpasswd_server to the Kerberos configuration

Aurélien Bompard • 2 years ago

b97ff3d

file modified

		`@@ -1,6 +1,7 @@`
		`[realms]`
		`FEDORAPROJECT.ORG = {`
		`kdc = https://id.fedoraproject.org/KdcProxy`
		`+ kpasswd_server = https://id.fedoraproject.org/KdcProxy`
		`pkinit_anchors = FILE:/etc/pki/ipa/fedoraproject_ipa_ca.crt`
		`}`
		`[domain_realm]`

krb-configs/stg_fedoraproject_org

file modified

		`@@ -1,6 +1,7 @@`
		`[realms]`
		`STG.FEDORAPROJECT.ORG = {`
		`kdc = https://id.stg.fedoraproject.org/KdcProxy`
		`+ kpasswd_server = https://id.stg.fedoraproject.org/KdcProxy`
		`pkinit_anchors = FILE:/etc/pki/ipa/stg_fedoraproject_ipa_ca.crt`
		`}`
		`[domain_realm]`

abompard commented 2 years ago

According to the KdcProxy docs, the configuration should have a kpasswd_server entry. It will enable the necessary password change flow for users with an expired password,
and prevent issues such as noggin #895.

Without this value:

$ kinit -T FILE:/tmp/armor.ccache abompard@STG.FEDORAPROJECT.ORG
Enter OTP Token Value: [password+OTP]
Password expired.  You must change it now.
Enter new password: [new password]
Enter it again: [new password]
kinit: Cannot find KDC for realm "STG.FEDORAPROJECT.ORG" while getting initial credentials

With this value:

$ kinit -T FILE:$HOME/armor.ccache abompard@STG.FEDORAPROJECT.ORG
Enter OTP Token Value: [password+OTP]
Password expired.  You must change it now.
Enter new password: [new password]
Enter it again: [new password]
Enter OTP Token Value: [password+OTP]

kevin commented 2 years ago

Huh. I thought this wouldn't work with OTP... but it sounds like it does?

If so, +1 from me.

Is there also a DNS entry for kpasswd server we should add?

jsteffan commented 2 years ago

The updated krb5 config with a defined kpasswd_server let me unlock my account. The web password reset flow is still having issues. I've updated my comments in the Github issue.

There is one clarifying item here:

init -T FILE:$HOME/armor.ccache user@REALM
Enter OTP Token Value: [current password+OTP]
Password expired.  You must change it now.
Enter new password: [new password]
Enter it again: [new password]
Enter OTP Token Value: [new password+OTP]

kevin commented 2 years ago

Lets go ahead and merge this.