Alexis Pellicier
2018-Jun-28 06:17 UTC
[Samba] heidmal to mit adminstrator password expired
Hello,
I'm using samba as active directory with heidmal kerberos. I would like to
switch to MIT kerberos as this is the implementation my distrib has chosen.
I've made my kdc.conf according to these instructions:
https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
But I can't authenticate it seems all my password are expired.
kinit administrator at SAMBA.DOM
Password for administrator at SAMBA.DOM
Password expired. You must change it now.
But I can't change it:
kinit: Password has expired while getting initial credentials
Here is the logs of this action:
Jun 28 09:00:08 krb5kdc[13768](info): AS_REQ (8 etypes {18 17 20 19 16 23
25 26}) 192.168.1.194: CLIENT KEY EXPIRED: administrator at SAMBA.DOM for
krbtgt/SAMBA.DOM at SAMBA.DOM, Password has expired
Jun 28 09:00:08 krb5kdc[13768](info): AS_REQ (8 etypes {18 17 20 19 16 23
25 26}) 192.168.1.194: NEEDED_PREAUTH: administrator at SAMBA.DOM for
kadmin/changepw at SAMBA.DOM, Additional pre-authentication required
Jun 28 09:00:11 krb5kdc[13768](info): AS_REQ (8 etypes {18 17 20 19 16 23
25 26}) 192.168.1.194: ISSUE: authtime 1530165611, etypes {rep=18 tkt=23
ses=23}, administrator at SAMBA.DOM for kadmin/changepw at SAMBA.DOM
Jun 28 09:00:18 krb5kdc[13768](info): AS_REQ (8 etypes {18 17 20 19 16 23
25 26}) 192.168.1.194: CLIENT KEY EXPIRED: administrator at SAMBA.DOM for
krbtgt/SAMBA.DOM at SAMBA.DOM, Password has expired
I 'm not sure but maybe if I could reset the admin password it could help?
Is there any way of doing that?
Any help welcome.
Thank you.
Andrew Bartlett
2018-Jun-29 21:05 UTC
[Samba] heidmal to mit adminstrator password expired
On Thu, 2018-06-28 at 09:17 +0300, Alexis Pellicier via samba wrote:> Hello, > > I'm using samba as active directory with heidmal kerberos. I would like to > switch to MIT kerberos as this is the implementation my distrib has chosen. > > I've made my kdc.conf according to these instructions: > https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC > > But I can't authenticate it seems all my password are expired. > > kinit administrator at SAMBA.DOM > Password for administrator at SAMBA.DOM > Password expired. You must change it now. > > But I can't change it: > kinit: Password has expired while getting initial credentials > > Here is the logs of this action: > > Jun 28 09:00:08 krb5kdc[13768](info): AS_REQ (8 etypes {18 17 20 19 16 23 > 25 26}) 192.168.1.194: CLIENT KEY EXPIRED: administrator at SAMBA.DOM for > krbtgt/SAMBA.DOM at SAMBA.DOM, Password has expired> I 'm not sure but maybe if I could reset the admin password it could help? > Is there any way of doing that?This is not the first report I have of this. Sadly I don't know what is going on, and the MIT KDC backend for Samba is new and may still have issues. I suggest just using the default Heimdal one for now, and filing a bug so it can be investigated. Specifically, you are not expected to take any extra steps to use the MIT backend (after a re-compile with a compatible MIT krb5), so by definition this is a bug on our side. I've CC'ed Andreas, the lead developer of the MIT KDC feature, perhaps he can provide some more enlightenment. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Andrew Bartlett
2018-Jul-09 22:22 UTC
[Samba] heidmal to mit adminstrator password expired
On Sat, 2018-06-30 at 09:05 +1200, Andrew Bartlett via samba wrote:> On Thu, 2018-06-28 at 09:17 +0300, Alexis Pellicier via samba wrote: > > Hello, > > > > I'm using samba as active directory with heidmal kerberos. I would like to > > switch to MIT kerberos as this is the implementation my distrib has chosen. > > > > I've made my kdc.conf according to these instructions: > > https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC > > > > But I can't authenticate it seems all my password are expired. > > > > kinit administrator at SAMBA.DOM > > Password for administrator at SAMBA.DOM > > Password expired. You must change it now. > > > > But I can't change it: > > kinit: Password has expired while getting initial credentials > > > > Here is the logs of this action: > > > > Jun 28 09:00:08 krb5kdc[13768](info): AS_REQ (8 etypes {18 17 20 19 16 23 > > 25 26}) 192.168.1.194: CLIENT KEY EXPIRED: administrator at SAMBA.DOM for > > krbtgt/SAMBA.DOM at SAMBA.DOM, Password has expired > > I 'm not sure but maybe if I could reset the admin password it could help? > > Is there any way of doing that? > > This is not the first report I have of this. Sadly I don't know what > is going on, and the MIT KDC backend for Samba is new and may still > have issues. > > I suggest just using the default Heimdal one for now, and filing a bug > so it can be investigated. > > Specifically, you are not expected to take any extra steps to use the > MIT backend (after a re-compile with a compatible MIT krb5), so by > definition this is a bug on our side. > > I've CC'ed Andreas, the lead developer of the MIT KDC feature, perhaps > he can provide some more enlightenment.G'Day Alexis, Can you please file a bug for this? We would like to keep track of any such issues. Thanks, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Possibly Parallel Threads
- heidmal to mit adminstrator password expired
- macOS 10.13.6 error joining to Samba 4.8.3
- kerberos got crazy after ubuntu upgrade from 14.04 to 16.04
- kerberos got crazy after ubuntu upgrade from 14.04 to 16.04
- Samba 4 AD DC on Fedora, problem with GPOs and denied security for machines