Web lists-archives.com

Re: [Samba] heidmal to mit adminstrator password expired

On Thu, 2018-06-28 at 09:17 +0300, Alexis Pellicier via samba wrote:
> Hello,
> I'm using samba as active directory with heidmal kerberos. I would like to
> switch to MIT kerberos as this is the implementation my distrib has chosen.
> I've made my kdc.conf according to these instructions:
> https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
> But I can't authenticate it seems all my password are expired.
> kinit administrator@xxxxxxxxx
> Password for administrator@xxxxxxxxx
> Password expired.  You must change it now.
> But I can't change it:
> kinit: Password has expired while getting initial credentials
> Here is the logs of this action:
> Jun 28 09:00:08  krb5kdc[13768](info): AS_REQ (8 etypes {18 17 20 19 16 23
> 25 26}) CLIENT KEY EXPIRED: administrator@xxxxxxxxx for
> krbtgt/SAMBA.DOM@xxxxxxxxx, Password has expired

> I 'm not sure but maybe if I could reset the admin password it could help?
> Is there any way of doing that?

This is not the first report I have of this.  Sadly I don't know what
is going on, and the MIT KDC backend for Samba is new and may still
have issues. 

I suggest just using the default Heimdal one for now, and filing a bug
so it can be investigated.

Specifically, you are not expected to take any extra steps to use the
MIT backend (after a re-compile with a compatible MIT krb5), so by
definition this is a bug on our side. 

I've CC'ed Andreas, the lead developer of the MIT KDC feature, perhaps
he can provide some more enlightenment. 


Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba