Issue #2496: krbpasswordexpiration field in LDAP can not have value >= 20380119031408Z - freeipa

freeipa

#2496 krbpasswordexpiration field in LDAP can not have value >= 20380119031408Z

Opened 12 years ago by dpal. Modified 7 years ago

https://bugzilla.redhat.com/show_bug.cgi?id=797333 (Red Hat Enterprise Linux 6)

+++ This bug was initially created as a clone of Bug #796641 +++

Description of problem:
kinit fails with the message:

kinit: ASN.1 failed call to system time library while getting initial
credentials

Or (krbpasswordexpiration == 20380119031408Z) tels you to change your password:
Password expired.  You must change it now.
Enter new password:



Version-Release number of selected component (if applicable):
krb5-server-1.9.2-6.fc16.x86_64
krb5-workstation-1.9.2-6.fc16.x86_64
freeipa-server-2.1.4-5.fc16.x86_64
389-ds-base-1.2.10-0.10.rc1.fc16.x86_64

How reproducible:
-
- use "kinit <user>"



Steps to Reproduce:
1.
Use ldapmodify to change the value of "krbpasswordexpiration" to
20380119031408Z "<user>"

2.
Use "kinit <user>" to get a ticket

3. repeat steps 1 and 2 with a value larger than 20380119031408Z

4. repeat steps 1 and 2 with a valu of 20380119031407Z or lower

Actual results:
2.
Password expired.  You must change it now.

3.
kinit: ASN.1 failed call to system time library while getting initial
credentials


Expected results:
- like in the case 4.
ticket granted, klist lists the ticket

Additional info:

tbabej commented 9 years ago

This is no longer reproducible. The underlying issue has been fixed, see:

0e8a329

https://fedorahosted.org/freeipa/ticket/3312

mkosek commented 9 years ago

I do not think that the real issue is fixed, krbpasswordexpiration field in LDAP still can not have value >= 20380119031408Z.

We just worked around the issue and forbid such values. To fix the real issue and be able to create expiration beyond 2038, we need the underlying fixes in Kerberos KDC.

jimgroffen commented 7 years ago

Testing on CentOS 7 (x86_64) and FreeIPA v4.2 shows this issue may have been overtaken by events, or possibly only a problem for 32bit architectures?

I have a password policy with a maxage of 20000. I then changed my password and now have a krbPasswordExpiration of 23/04/2071 12:00:32 PM (20710423023032Z).

I can perform a kdestroy and kinit for this user. Also restarted all IPA services and tried again. The KDC appears to support passwords with expirations beyond 2038 now.

Metadata Update from @dpal:
- Issue assigned to rcritten
- Issue set to the milestone: Tickets Deferred

7 years ago

Metadata

Assignee

rcritten

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

Tickets Deferred

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=797333

tester

None

changelog

None

design

None

freeipa

Source Code

#2496 krbpasswordexpiration field in LDAP can not have value >= 20380119031408Z Opened 12 years ago by dpal. Modified 7 years ago

Close issue as:

Metadata

#2496 krbpasswordexpiration field in LDAP can not have value >= 20380119031408Z

Opened 12 years ago by dpal. Modified 7 years ago