freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#2496 krbpasswordexpiration field in LDAP can not have value >= 20380119031408Z

Created 6 years ago by dpal
Modified a year ago

https://bugzilla.redhat.com/show_bug.cgi?id=797333 (Red Hat Enterprise Linux 6)

+++ This bug was initially created as a clone of Bug #796641 +++

Description of problem:
kinit fails with the message:

kinit: ASN.1 failed call to system time library while getting initial
credentials

Or (krbpasswordexpiration == 20380119031408Z) tels you to change your password:
Password expired.  You must change it now.
Enter new password:



Version-Release number of selected component (if applicable):
krb5-server-1.9.2-6.fc16.x86_64
krb5-workstation-1.9.2-6.fc16.x86_64
freeipa-server-2.1.4-5.fc16.x86_64
389-ds-base-1.2.10-0.10.rc1.fc16.x86_64

How reproducible:
-
- use "kinit <user>"



Steps to Reproduce:
1.
Use ldapmodify to change the value of "krbpasswordexpiration" to
20380119031408Z "<user>"

2.
Use "kinit <user>" to get a ticket

3. repeat steps 1 and 2 with a value larger than 20380119031408Z

4. repeat steps 1 and 2 with a valu of 20380119031407Z or lower

Actual results:
2.
Password expired.  You must change it now.

3.
kinit: ASN.1 failed call to system time library while getting initial
credentials


Expected results:
- like in the case 4.
ticket granted, klist lists the ticket

Additional info:

This is no longer reproducible. The underlying issue has been fixed, see:

0e8a329

https://fedorahosted.org/freeipa/ticket/3312

I do not think that the real issue is fixed, krbpasswordexpiration field in LDAP still can not have value >= 20380119031408Z.

We just worked around the issue and forbid such values. To fix the real issue and be able to create expiration beyond 2038, we need the underlying fixes in Kerberos KDC.

Testing on CentOS 7 (x86_64) and FreeIPA v4.2 shows this issue may have been overtaken by events, or possibly only a problem for 32bit architectures?

I have a password policy with a maxage of 20000. I then changed my password and now have a krbPasswordExpiration of 23/04/2071 12:00:32 PM (20710423023032Z).

I can perform a kdestroy and kinit for this user. Also restarted all IPA services and tried again. The KDC appears to support passwords with expirations beyond 2038 now.

a year ago

Metadata Update from @dpal:
- Issue assigned to rcritten
- Issue set to the milestone: Tickets Deferred

Login to comment on this ticket.

defect

IPA

0

https://bugzilla.redhat.com/show_bug.cgi?id=797333

cancel