[Freeipa-users] resetting an admin account.

Steven Jones Steven.Jones at vuw.ac.nz
Tue Jul 31 21:04:26 UTC 2012 

As it turns out I need to use it.

:/

===========
[root at vuwunicoipam001 log]# kinit admjonesst1
Password for admjonesst1 at ODS.VUW.AC.NZ: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
kinit: Password change failed while getting initial credentials
[root at vuwunicoipam001 log]# KRB5_TRACE=/dev/stdout kinit admjonesst1
[14664] 1343768388.807457: Getting initial credentials for admjonesst1 at ODS.VUW.AC.NZ
[14664] 1343768388.812580: Sending request (188 bytes) to ODS.VUW.AC.NZ
[14664] 1343768388.827875: Sending initial UDP request to dgram 10.70.3.12:88
[14664] 1343768388.832204: Received answer from dgram 10.70.3.12:88
[14664] 1343768388.832305: Response was from master KDC
[14664] 1343768388.832336: Received error from KDC: -1765328361/Password has expired
[14664] 1343768388.832362: Principal expired; getting changepw ticket
[14664] 1343768388.832376: Getting initial credentials for admjonesst1 at ODS.VUW.AC.NZ
[14664] 1343768388.832426: Setting initial creds service to 
[14664] 1343768388.832467: Sending request (182 bytes) to ODS.VUW.AC.NZ (master)
[14664] 1343768388.832580: Sending initial UDP request to dgram 10.70.3.12:88
[14664] 1343768388.836464: Received answer from dgram 10.70.3.12:88
[14664] 1343768388.836495: Received error from KDC: -1765328359/Additional pre-authentication required
[14664] 1343768388.836531: Processing preauth types: 2, 136, 19, 133
[14664] 1343768388.836558: Selected etype info: etype aes256-cts, salt "02(``#Z='yW]W(>;", params ""
[14664] 1343768388.836565: Received cookie: MIT
Password for admjonesst1 at ODS.VUW.AC.NZ: 
[14664] 1343768395.526371: AS key obtained for encrypted timestamp: aes256-cts/6F6C
[14664] 1343768395.526476: Encrypted timestamp (for 1343768395.526392): plain 301AA011180F32303132303733313230353935355AA1050203080838, encrypted 240EBF827652358C2E32722C8649CAFD5755F5A3F4F766B1379D50B3192D1AD65B99AD69D4065E33F2FC6C13EA370C7B62F7E61C57A2D75D
[14664] 1343768395.526516: Produced preauth for next request: 133, 2
[14664] 1343768395.526548: Sending request (277 bytes) to ODS.VUW.AC.NZ (master)
[14664] 1343768395.526902: Sending initial UDP request to dgram 10.70.3.12:88
[14664] 1343768395.603247: Received answer from dgram 10.70.3.12:88
[14664] 1343768395.603334: Processing preauth types: 19
[14664] 1343768395.603349: Selected etype info: etype aes256-cts, salt "02(``#Z='yW]W(>;", params ""
[14664] 1343768395.603358: Produced preauth for next request: (empty)
[14664] 1343768395.603373: AS key determined by preauth: aes256-cts/6F6C
[14664] 1343768395.603492: Decrypted AS reply; session key is: aes256-cts/54E9
[14664] 1343768395.603526: FAST negotiation: available
[14664] 1343768395.603575: Attempting password change; 3 tries remaining
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[14664] 1343768420.820829: Creating authenticator for admjonesst1 at ODS.VUW.AC.NZ -> kadmin/changepw at ODS.VUW.AC.NZ, seqnum 0, subkey aes256-cts/73EB, session key aes256-cts/54E9
[14664] 1343768420.828369: Sending initial UDP request to dgram 10.70.3.12:464
[14664] 1343768420.841384: Received answer from dgram 10.70.3.12:464
[14664] 1343768420.841509: Read AP-REP, time 1343768420.820855, subkey aes256-cts/73EB, seqnum 1037613661
kinit: Password change failed while getting initial credentials
[root at vuwunicoipam001 log
===============

So lets re-set the password again and re-try,

===========
[root at vuwunicoipam001 log]# KRB5_TRACE=/dev/stdout kinit admjonesst1
[15004] 1343768598.486261: Getting initial credentials for admjonesst1 at ODS.VUW.AC.NZ
[15004] 1343768598.491785: Sending request (188 bytes) to ODS.VUW.AC.NZ
[15004] 1343768598.507798: Sending initial UDP request to dgram 10.70.3.12:88
[15004] 1343768598.512326: Received answer from dgram 10.70.3.12:88
[15004] 1343768598.512429: Response was from master KDC
[15004] 1343768598.512460: Received error from KDC: -1765328361/Password has expired
[15004] 1343768598.512486: Principal expired; getting changepw ticket
[15004] 1343768598.512499: Getting initial credentials for admjonesst1 at ODS.VUW.AC.NZ
[15004] 1343768598.512549: Setting initial creds service to 
[15004] 1343768598.512591: Sending request (183 bytes) to ODS.VUW.AC.NZ (master)
[15004] 1343768598.512828: Sending initial UDP request to dgram 10.70.3.12:88
[15004] 1343768598.516670: Received answer from dgram 10.70.3.12:88
[15004] 1343768598.516701: Received error from KDC: -1765328359/Additional pre-authentication required
[15004] 1343768598.516738: Processing preauth types: 2, 136, 19, 133
[15004] 1343768598.516764: Selected etype info: etype aes256-cts, salt "cI7u&FhS\SFGR:Wx", params ""
[15004] 1343768598.516772: Received cookie: MIT
Password for admjonesst1 at ODS.VUW.AC.NZ: 
[15004] 1343768603.746087: AS key obtained for encrypted timestamp: aes256-cts/1392
[15004] 1343768603.746181: Encrypted timestamp (for 1343768603.746110): plain 301AA011180F32303132303733313231303332335AA10502030B627E, encrypted 32717E12866758441D84E1016F92B9ABF31CEACF41021755BDBDEFA410426877A9A489112B99C90F48140DC5308F5ED827496225AD0B24A0
[15004] 1343768603.746204: Produced preauth for next request: 133, 2
[15004] 1343768603.746234: Sending request (278 bytes) to ODS.VUW.AC.NZ (master)
[15004] 1343768603.746415: Sending initial UDP request to dgram 10.70.3.12:88
[15004] 1343768603.876746: Received answer from dgram 10.70.3.12:88
[15004] 1343768603.876834: Processing preauth types: 19
[15004] 1343768603.876850: Selected etype info: etype aes256-cts, salt "cI7u&FhS\SFGR:Wx", params ""
[15004] 1343768603.876860: Produced preauth for next request: (empty)
[15004] 1343768603.876874: AS key determined by preauth: aes256-cts/1392
[15004] 1343768603.876973: Decrypted AS reply; session key is: aes256-cts/8B5A
[15004] 1343768603.877006: FAST negotiation: available
[15004] 1343768603.877055: Attempting password change; 3 tries remaining
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[15004] 1343768621.280853: Creating authenticator for admjonesst1 at ODS.VUW.AC.NZ -> kadmin/changepw at ODS.VUW.AC.NZ, seqnum 0, subkey aes256-cts/6376, session key aes256-cts/8B5A
[15004] 1343768621.281181: Sending initial UDP request to dgram 10.70.3.12:464
[15004] 1343768621.293062: Received answer from dgram 10.70.3.12:464
[15004] 1343768621.293168: Read AP-REP, time 1343768621.280874, subkey aes256-cts/6376, seqnum 312851864
kinit: Password change failed while getting initial credentials
[root at vuwunicoipam001 log]# 
==========

Still fails..........

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Martin Kosek [mkosek at redhat.com]
Sent: Tuesday, 31 July 2012 7:12 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] resetting an admin account.

On 07/27/2012 12:48 AM, Steven Jones wrote:
> I have tried to reset my admin password (admjonesst1) using the admin account toa temp password,
>
> So I run a kinit admjonesst1 to reset it to a perm one and I get,
>
> ========
> [jonesst1 at 8kxl72s ~]$ kinit admjonesst1
> Password for admjonesst1 at ODS.VUW.AC.NZ:
> Password expired.  You must change it now.
> Enter new password:
> Enter it again:
> kinit: Cannot contact any KDC for requested realm while getting initial credentials
> [jonesst1 at 8kxl72s ~]$ kinit admjonesst1
> Password for admjonesst1 at ODS.VUW.AC.NZ:
> Password expired.  You must change it now.
> Enter new password:
> Enter it again:
> kinit: Cannot contact any KDC for requested realm while getting initial credentials
> [jonesst1 at 8kxl72s ~]$
> ========
>

Would a kinit with a trace turned on show anything interesting?

# KRB5_TRACE=/dev/stdout kinit admjonesst1

It may get us closer to the root cause of this issue.

Martin

More information about the Freeipa-users mailing list