[Pkg-sssd-devel] Bug#1033969: sssd: misinterprets MIT Kerberos password expiry

David Härdeman david at hardeman.nu
Wed Apr 5 08:55:54 BST 2023


Package: sssd
Version: 2.4.1-2
Severity: normal

I'm using a setup with OpenLDAP + MIT Kerberos on Debian Stable ("Bullseye").

In a nutshell:

$ kadmin getprinc bob
Principal: bob at EXAMPLE.COM
Expiration date: [never]
Last password change: Wed Mar 08 13:01:47 CET 2023
Password expiration date: [never]
...
$ ldapsearch -Z -x -LLL "(uid=bob)" | grep krbPasswordExpiration
krbPasswordExpiration: 19700101000000Z

IOW, pw expiration never is stored as 19700101000000Z in LDAP (with MIT Kerberos).

If I set ldap_pwd_policy = mit_kerberos in /etc/sssd/sssd.conf on test VM qtest:

$ ssh bob at qtest
...
WARNING: Your password has expired.
You must change your password now and login again!
Current Password:

This has been fixed in the upstream git repo, see:
https://github.com/SSSD/sssd/issues/6612
https://github.com/SSSD/sssd/pull/6623

I suggest that this patch be cherry-picked and added to sssd so that it can be included
in the upcoming stable release since the consequences are that users are locked out.

Cheers,
David



More information about the Pkg-sssd-devel mailing list