I have configured PAM authentication to use Kerberos and can authenticate correctly with my principals using their Kerberos credentials.
I ran into trouble when I tried to create a principal with an expired password:
kadmin: addprinc +needchange test_principal
When I tried logging in (either from a VT or the graphical greeter), after correctly entering the password, I got the expected message that the password has expired and the system prompted me to create a new one. After I had done that, authentication failed with this error in the kdc.log
:
krb5kdc[...](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.0.200: NO PREAUTH: authtime 0, test_principal@MY.REALM for host/server.my.realm@MY.REALM, Generic error (see e-text)
and the following (not so surprising) error in /var/log/auth.log
:
pam_krb5(gdm3:auth): (user test_principal) credential verfication failed: KDC returned error string: NO PREAUTH
Some notes
- Listing the principal's attributes (via
getprinc
inkadmin.local
) shows 0 failed log in attempts - If I create the account without the
+needchange
flag, I am able to authenticate correctly. - If I add the
+needchange
flag (viamodprinc
inkadmin.local
) after the user has successfully authenticated once, I get the expected behavior; namely, the user is prompted to change their password and then their authentication succeeds. - This principal has no equivalent entry in
/etc/passwd
but is backed up by an LDAP entry. -
As suggested elsewhere, I tried creating my principal like this:
kadmin: addprinc -requires_preauth +needchange test_principal
This made no difference.
My use case
I'm migrating from an old NIS system and I want to offer continuity to my users. I would like to have them enter their old passwords but then be forced to change them to conform to stricter password policy rules I intend to enforce through Kerberos.
I am running MIT Kerberos V on Debian Wheezy.
Best Answer
I found the answer and it's a very strange one!
I used the
getprinc
command withinkadmin
to obtain the attributes of both the problem principal and a principal that was created without+needchange
and that was authenticating correctly.The difference was that the principal authenticating correctly had the
REQUIRES_PRE_AUTH
attribute set while the problem principal didn't have it, so the solution is to create the principal this way: