Web lists-archives.com

Re: [Samba] heidmal to mit adminstrator password expired




On Sat, 2018-06-30 at 09:05 +1200, Andrew Bartlett via samba wrote:
> On Thu, 2018-06-28 at 09:17 +0300, Alexis Pellicier via samba wrote:
> > Hello,
> > 
> > I'm using samba as active directory with heidmal kerberos. I would like to
> > switch to MIT kerberos as this is the implementation my distrib has chosen.
> > 
> > I've made my kdc.conf according to these instructions:
> > https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
> > 
> > But I can't authenticate it seems all my password are expired.
> > 
> > kinit administrator@xxxxxxxxx
> > Password for administrator@xxxxxxxxx
> > Password expired.  You must change it now.
> > 
> > But I can't change it:
> > kinit: Password has expired while getting initial credentials
> > 
> > Here is the logs of this action:
> > 
> > Jun 28 09:00:08  krb5kdc[13768](info): AS_REQ (8 etypes {18 17 20 19 16 23
> > 25 26}) 192.168.1.194: CLIENT KEY EXPIRED: administrator@xxxxxxxxx for
> > krbtgt/SAMBA.DOM@xxxxxxxxx, Password has expired
> > I 'm not sure but maybe if I could reset the admin password it could help?
> > Is there any way of doing that?
> 
> This is not the first report I have of this.  Sadly I don't know what
> is going on, and the MIT KDC backend for Samba is new and may still
> have issues. 
> 
> I suggest just using the default Heimdal one for now, and filing a bug
> so it can be investigated.
> 
> Specifically, you are not expected to take any extra steps to use the
> MIT backend (after a re-compile with a compatible MIT krb5), so by
> definition this is a bug on our side. 
> 
> I've CC'ed Andreas, the lead developer of the MIT KDC feature, perhaps
> he can provide some more enlightenment. 

G'Day Alexis,

Can you please file a bug for this?  We would like to keep track of any
such issues.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba