The Samba-Bugzilla – Bug 14155
kpasswd fails when built with MIT Kerberos
Last modified: 2019-11-04 09:21:46 UTC
Chaning password with kpasswd (e.g. net ads changetrustpw) fails when built with MIT Kerberos. This is because upstream MIT has a bug when requesting canonicalization for non krbtgt requests. For example:
`kinit -C aDmInIsTrAtOr@ACME.COM -S kadmin/changepw@ACME.COM`
We need to revert the MIT part of commit 03b7e59a286896888ee2473995fc50bb2b5ce5e.
(In reply to Andreas Schneider from comment #0)
This is about commit 303b7e59a286896888ee2473995fc50bb2b5ce5e
and not 03b7e59a286896888ee2473995fc50bb2b5ce5e...
Can you be more specific on what wrong?
Does that only happens if the service is
Is there an MIT bug report?
As discussed in MR 840, MIT client won't allow name canonicalization in AS exchange if the service is anything but krbtgt, see:
Per RFC 6806 it should be okay, especially since it's the client name that changed not server, and especially if we check PA-REQ-ENC-PA-REP in returned encrypted padata, which MIT does (as does heimdal upstream).
So I want to add a check in case we verified returned PA-REQ-ENC-PA-REP to allow canonicalization even for non krbtgt servers. I'll update once I submit a PR upstream.
Upstream PR: https://github.com/krb5/krb5/pull/986
Created attachment 15532 [details]
patch for 4.11
Created attachment 15533 [details]
patch for 4.10
Created attachment 15534 [details]
patch for 4.10
Both patches do not apply on current test branches.
Re-assigning to Andreas.
Karolin, they are already applied on both branches ...
Metze pushed them.
commit 3ad42536f873f21cc2db774ca3ea694ca7142253 (HEAD -> v4-10-test, origin/v4-10-test)
Author: Andreas Schneider <firstname.lastname@example.org>
AuthorDate: Wed Oct 9 16:32:47 2019 +0200
Commit: Stefan Metzmacher <email@example.com>
CommitDate: Wed Oct 16 16:43:59 2019 +0000
FYI the upstream MIT PR 986 has landed so the fix will be in v1.18 once released.