Support rejected passwords during password change |
||||||||||
Issue descriptionChange password old->new->old. kinit says something like: Password change rejected: The password must include numbers or symbols. Don't include any part of your name in the password. The password must contain at least 7 characters. The password must be different from the previous 24 passwords. The password can only be changed once a day.. Please try again. Support this in authpolicyd and in the UI. Note: Right now, authpolicyd returns ERROR_PASSWORD_EXPIRED, so Chrome just goes to the pw change screen again without displaying a proper error message. 2017-08-07T12:38:34.214993+00:00 INFO authpolicyd[3752]: Executing /usr/bin/kinit '<USER_<REALM>MON_NAME>@<REALM>' '-l' '1d' '-r' '7d' 2017-08-07T12:38:34.370670+00:00 INFO authpolicyd[3752]: libminijail[2]: child process 29 exited with status 1 2017-08-07T12:38:34.370827+00:00 INFO authpolicyd[3752]: /usr/bin/kinit stdout: 2017-08-07T12:38:34.370852+00:00 INFO authpolicyd[3752]: Password for <USER_<REALM>MON_NAME>@<REALM>: 2017-08-07T12:38:34.370870+00:00 INFO authpolicyd[3752]: Password expired. You must change it now. 2017-08-07T12:38:34.370887+00:00 INFO authpolicyd[3752]: Enter new password: 2017-08-07T12:38:34.370904+00:00 INFO authpolicyd[3752]: Enter it again: 2017-08-07T12:38:34.370923+00:00 INFO authpolicyd[3752]: Password change rejected: The password must include numbers or symbols. Don't include any part of your name in the password. The password must contain at least 7 characters. The password must be different from the previous 24 passwords. The password can only be changed once a day.. Please try again. 2017-08-07T12:38:34.370942+00:00 INFO authpolicyd[3752]: Enter new password: 2017-08-07T12:38:34.370976+00:00 INFO authpolicyd[3752]: /usr/bin/kinit stderr: kinit: Cannot read password while getting initial credentials#012 2017-08-07T12:38:34.370998+00:00 INFO authpolicyd[3752]: Exit code: 1 2017-08-07T12:38:34.372175+00:00 INFO authpolicyd[3752]: Kinit trace: 2017-08-07T12:38:34.372208+00:00 INFO authpolicyd[3752]: [29] 1502109514.221126: Getting initial credentials for <USER_<REALM>MON_NAME>@<REALM> 2017-08-07T12:38:34.372226+00:00 INFO authpolicyd[3752]: [29] 1502109514.224736: Sending request (183 bytes) to <REALM> 2017-08-07T12:38:34.372244+00:00 INFO authpolicyd[3752]: [29] 1502109514.224807: Resolving hostname 35.187.70.179 2017-08-07T12:38:34.372301+00:00 INFO authpolicyd[3752]: [29] 1502109514.224920: Sending initial UDP request to dgram 35.187.70.179:88 2017-08-07T12:38:34.372331+00:00 INFO authpolicyd[3752]: [29] 1502109514.240283: Received answer (192 bytes) from dgram 35.187.70.179:88 2017-08-07T12:38:34.372351+00:00 INFO authpolicyd[3752]: [29] 1502109514.242339: Response was not from master KDC 2017-08-07T12:38:34.372370+00:00 INFO authpolicyd[3752]: [29] 1502109514.242383: Received error from KDC: -1765328359/Additional pre-authentication required 2017-08-07T12:38:34.372388+00:00 INFO authpolicyd[3752]: [29] 1502109514.242429: Processing preauth types: 16, 15, 19, 2 2017-08-07T12:38:34.372406+00:00 INFO authpolicyd[3752]: [29] 1502109514.242445: Selected etype info: etype aes256-cts, salt "<REALM><USER_<REALM>MON_NAME>", params "" 2017-08-07T12:38:34.372423+00:00 INFO authpolicyd[3752]: [29] 1502109514.242468: PKINIT client has no configured identity; giving up 2017-08-07T12:38:34.372440+00:00 INFO authpolicyd[3752]: [29] 1502109514.242483: PKINIT client has no configured identity; giving up 2017-08-07T12:38:34.372458+00:00 INFO authpolicyd[3752]: [29] 1502109514.242493: Preauth module pkinit (16) (real) returned: 22/Invalid argument 2017-08-07T12:38:34.372475+00:00 INFO authpolicyd[3752]: [29] 1502109514.242500: PKINIT client has no configured identity; giving up 2017-08-07T12:38:34.372493+00:00 INFO authpolicyd[3752]: [29] 1502109514.242504: Preauth module pkinit (14) (real) returned: 22/Invalid argument 2017-08-07T12:38:34.372509+00:00 INFO authpolicyd[3752]: [29] 1502109514.251633: AS key obtained for encrypted timestamp: aes256-cts/B8B2 2017-08-07T12:38:34.372527+00:00 INFO authpolicyd[3752]: [29] 1502109514.251680: Encrypted timestamp (for 1502109514.999446): plain 301AA011180F32303137303830373132333833345AA10502030F4016, encrypted 31778591D9B22EF058BF61E1F70F0D1EC64912BB11773946863279AE074D7DAD30470DE92A9934AC7044B6268EA2E5ADBFF42CB43628A9EB 2017-08-07T12:38:34.372545+00:00 INFO authpolicyd[3752]: [29] 1502109514.251692: Preauth module encrypted_timestamp (2) (real) returned: 0/Success 2017-08-07T12:38:34.372562+00:00 INFO authpolicyd[3752]: [29] 1502109514.251695: Produced preauth for next request: 2 2017-08-07T12:38:34.372580+00:00 INFO authpolicyd[3752]: [29] 1502109514.251710: Sending request (262 bytes) to <REALM> 2017-08-07T12:38:34.372597+00:00 INFO authpolicyd[3752]: [29] 1502109514.251718: Resolving hostname 35.187.70.179 2017-08-07T12:38:34.372620+00:00 INFO authpolicyd[3752]: [29] 1502109514.251814: Sending initial UDP request to dgram 35.187.70.179:88 2017-08-07T12:38:34.372637+00:00 INFO authpolicyd[3752]: [29] 1502109514.267457: Received answer (134 bytes) from dgram 35.187.70.179:88 2017-08-07T12:38:34.372653+00:00 INFO authpolicyd[3752]: [29] 1502109514.269376: Response was not from master KDC 2017-08-07T12:38:34.372670+00:00 INFO authpolicyd[3752]: [29] 1502109514.269404: Received error from KDC: -1765328361/Password has expired 2017-08-07T12:38:34.372688+00:00 INFO authpolicyd[3752]: [29] 1502109514.269424: Preauth tryagain input types: 16, 14, 19, 2 2017-08-07T12:38:34.372704+00:00 INFO authpolicyd[3752]: [29] 1502109514.269434: Retrying AS request with master KDC 2017-08-07T12:38:34.372722+00:00 INFO authpolicyd[3752]: [29] 1502109514.269439: Getting initial credentials for <USER_<REALM>MON_NAME>@<REALM> 2017-08-07T12:38:34.372738+00:00 INFO authpolicyd[3752]: [29] 1502109514.269471: Sending request (183 bytes) to <REALM> (master) 2017-08-07T12:38:34.372754+00:00 INFO authpolicyd[3752]: [29] 1502109514.271391: Principal expired; getting changepw ticket 2017-08-07T12:38:34.372770+00:00 INFO authpolicyd[3752]: [29] 1502109514.271406: Getting initial credentials for <USER_<REALM>MON_NAME>@<REALM> 2017-08-07T12:38:34.372785+00:00 INFO authpolicyd[3752]: [29] 1502109514.271430: Setting initial creds service to kadmin/changepw 2017-08-07T12:38:34.372950+00:00 INFO authpolicyd[3752]: [29] 1502109514.271455: Sending request (153 bytes) to <REALM> 2017-08-07T12:38:34.373053+00:00 INFO authpolicyd[3752]: [29] 1502109514.271462: Resolving hostname 35.187.70.179 2017-08-07T12:38:34.373093+00:00 INFO authpolicyd[3752]: [29] 1502109514.271545: Sending initial UDP request to dgram 35.187.70.179:88 2017-08-07T12:38:34.373125+00:00 INFO authpolicyd[3752]: [29] 1502109514.287155: Received answer (183 bytes) from dgram 35.187.70.179:88 2017-08-07T12:38:34.373154+00:00 INFO authpolicyd[3752]: [29] 1502109514.288960: Response was not from master KDC 2017-08-07T12:38:34.373188+00:00 INFO authpolicyd[3752]: [29] 1502109514.288987: Received error from KDC: -1765328359/Additional pre-authentication required 2017-08-07T12:38:34.373221+00:00 INFO authpolicyd[3752]: [29] 1502109514.289017: Processing preauth types: 16, 15, 19, 2 2017-08-07T12:38:34.373288+00:00 INFO authpolicyd[3752]: [29] 1502109514.289025: Selected etype info: etype aes256-cts, salt "<REALM><USER_<REALM>MON_NAME>", params "" 2017-08-07T12:38:34.373360+00:00 INFO authpolicyd[3752]: [29] 1502109514.289042: PKINIT client has no configured identity; giving up 2017-08-07T12:38:34.373406+00:00 INFO authpolicyd[3752]: [29] 1502109514.289055: PKINIT client has no configured identity; giving up 2017-08-07T12:38:34.373441+00:00 INFO authpolicyd[3752]: [29] 1502109514.289063: Preauth module pkinit (16) (real) returned: 22/Invalid argument 2017-08-07T12:38:34.373472+00:00 INFO authpolicyd[3752]: [29] 1502109514.289072: PKINIT client has no configured identity; giving up 2017-08-07T12:38:34.373502+00:00 INFO authpolicyd[3752]: [29] 1502109514.289076: Preauth module pkinit (14) (real) returned: 22/Invalid argument 2017-08-07T12:38:34.373531+00:00 INFO authpolicyd[3752]: [29] 1502109514.301759: AS key obtained for encrypted timestamp: aes256-cts/B8B2 2017-08-07T12:38:34.373564+00:00 INFO authpolicyd[3752]: [29] 1502109514.301817: Encrypted timestamp (for 1502109514.50841): plain 301AA011180F32303137303830373132333833345AA105020300C699, encrypted 83FE5CB934D5F9A1C50B14C5ADD4C86485A78C25E191B39A54E967FD5C2329E53ADB8DD74255A0C491438C660A979BE1336D6A9F19F72908 2017-08-07T12:38:34.373597+00:00 INFO authpolicyd[3752]: [29] 1502109514.301831: Preauth module encrypted_timestamp (2) (real) returned: 0/Success 2017-08-07T12:38:34.373630+00:00 INFO authpolicyd[3752]: [29] 1502109514.301836: Produced preauth for next request: 2 2017-08-07T12:38:34.373663+00:00 INFO authpolicyd[3752]: [29] 1502109514.301855: Sending request (231 bytes) to <REALM> 2017-08-07T12:38:34.373694+00:00 INFO authpolicyd[3752]: [29] 1502109514.301866: Resolving hostname 35.187.70.179 2017-08-07T12:38:34.373728+00:00 INFO authpolicyd[3752]: [29] 1502109514.301976: Sending initial UDP request to dgram 35.187.70.179:88 2017-08-07T12:38:34.373761+00:00 INFO authpolicyd[3752]: [29] 1502109514.317720: Received answer (97 bytes) from dgram 35.187.70.179:88 2017-08-07T12:38:34.373791+00:00 INFO authpolicyd[3752]: [29] 1502109514.319761: Response was not from master KDC 2017-08-07T12:38:34.373816+00:00 INFO authpolicyd[3752]: [29] 1502109514.319797: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP 2017-08-07T12:38:34.373834+00:00 INFO authpolicyd[3752]: [29] 1502109514.319806: Request or response is too big for UDP; retrying with TCP 2017-08-07T12:38:34.373850+00:00 INFO authpolicyd[3752]: [29] 1502109514.319813: Sending request (231 bytes) to <REALM> (tcp only) 2017-08-07T12:38:34.373866+00:00 INFO authpolicyd[3752]: [29] 1502109514.319824: Resolving hostname 35.187.70.179 2017-08-07T12:38:34.373884+00:00 INFO authpolicyd[3752]: [29] 1502109514.319924: Initiating TCP connection to stream 35.187.70.179:88 2017-08-07T12:38:34.373900+00:00 INFO authpolicyd[3752]: [29] 1502109514.334825: Sending TCP request to stream 35.187.70.179:88 2017-08-07T12:38:34.373918+00:00 INFO authpolicyd[3752]: [29] 1502109514.349856: Received answer (1560 bytes) from stream 35.187.70.179:88 2017-08-07T12:38:34.373935+00:00 INFO authpolicyd[3752]: [29] 1502109514.349900: Terminating TCP connection to stream 35.187.70.179:88 2017-08-07T12:38:34.373951+00:00 INFO authpolicyd[3752]: [29] 1502109514.352017: Response was not from master KDC 2017-08-07T12:38:34.373968+00:00 INFO authpolicyd[3752]: [29] 1502109514.352124: Processing preauth types: 19 2017-08-07T12:38:34.373986+00:00 INFO authpolicyd[3752]: [29] 1502109514.352145: Selected etype info: etype aes256-cts, salt "<REALM><USER_<REALM>MON_NAME>", params "" 2017-08-07T12:38:34.374003+00:00 INFO authpolicyd[3752]: [29] 1502109514.352161: Produced preauth for next request: (empty) 2017-08-07T12:38:34.374020+00:00 INFO authpolicyd[3752]: [29] 1502109514.352196: AS key determined by preauth: aes256-cts/B8B2 2017-08-07T12:38:34.374038+00:00 INFO authpolicyd[3752]: [29] 1502109514.352323: Decrypted AS reply; session key is: aes256-cts/17E2 2017-08-07T12:38:34.374055+00:00 INFO authpolicyd[3752]: [29] 1502109514.352359: FAST negotiation: unavailable 2017-08-07T12:38:34.374072+00:00 INFO authpolicyd[3752]: [29] 1502109514.352433: Attempting password change; 3 tries remaining 2017-08-07T12:38:34.374090+00:00 INFO authpolicyd[3752]: [29] 1502109514.352620: Creating authenticator for <USER_<REALM>MON_NAME>@<REALM> -> kadmin/changepw@<REALM>, seqnum 0, subkey aes256-cts/946C, session key aes256-cts/17E2 2017-08-07T12:38:34.374109+00:00 INFO authpolicyd[3752]: [29] 1502109514.352799: Resolving hostname 35.187.70.179 2017-08-07T12:38:34.374127+00:00 INFO authpolicyd[3752]: [29] 1502109514.353144: Sending initial UDP request to dgram 35.187.70.179:464 2017-08-07T12:38:34.374145+00:00 INFO authpolicyd[3752]: [29] 1502109514.369197: Received answer (203 bytes) from dgram 35.187.70.179:464 2017-08-07T12:38:34.374163+00:00 INFO authpolicyd[3752]: [29] 1502109514.369353: Read AP-REP, time 1502109514.352632, subkey (null), seqnum 0 2017-08-07T12:38:34.374180+00:00 INFO authpolicyd[3752]: [29] 1502109514.369426: Attempting password change; 2 tries remaining 2017-08-07T12:38:34.374234+00:00 ERR authpolicyd[3752]: kinit failed - password expired 2017-08-07T12:38:34.374485+00:00 INFO authpolicyd[3752]: AuthenticateUser failed with code 6
,
Aug 7 2017
,
Aug 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/system_api/+/486221f0463277ea16116128c0cd91c3180077f5 commit 486221f0463277ea16116128c0cd91c3180077f5 Author: Lutz Justen <ljusten@chromium.org> Date: Tue Aug 08 17:09:12 2017 authpolicy: Add error code for rejected passwords To be returned by authpolicyd if an Active Directory user entered a password on the password change screen that got rejected (e.g. too short, same as a previous password etc.), see CL:603854. BUG= chromium:752919 TEST=cros_run_unit_tests --board=chell --packages authpolicy Change-Id: Id669a5b7cd0ae0a02de8b92f709b435be3bf60c1 Reviewed-on: https://chromium-review.googlesource.com/603650 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Dan Erat <derat@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> [modify] https://crrev.com/486221f0463277ea16116128c0cd91c3180077f5/dbus/authpolicy/active_directory_info.proto
,
Aug 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/497271a050a4dd0c8afc0e6aa5389a26c54f6568 commit 497271a050a4dd0c8afc0e6aa5389a26c54f6568 Author: Lutz Justen <ljusten@chromium.org> Date: Tue Aug 08 21:56:12 2017 authpolicy: Detect rejected passwords Detects when a password is rejected during the password change flow and returns a proper error code. To be used in Chrome to display a proper error message. CQ-DEPEND=CL:603650 BUG= chromium:752919 TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy Change-Id: Icaa4917bf4480ecb5d571055c8cf4288668f028d Reviewed-on: https://chromium-review.googlesource.com/603854 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> [modify] https://crrev.com/497271a050a4dd0c8afc0e6aa5389a26c54f6568/authpolicy/authpolicy_unittest.cc [modify] https://crrev.com/497271a050a4dd0c8afc0e6aa5389a26c54f6568/authpolicy/stub_common.cc [modify] https://crrev.com/497271a050a4dd0c8afc0e6aa5389a26c54f6568/authpolicy/stub_common.h [modify] https://crrev.com/497271a050a4dd0c8afc0e6aa5389a26c54f6568/authpolicy/stub_kinit_main.cc [modify] https://crrev.com/497271a050a4dd0c8afc0e6aa5389a26c54f6568/authpolicy/tgt_manager.cc
,
Aug 9 2017
,
Sep 13 2017
This is fixed, right?
,
Sep 13 2017
,
Sep 19 2017
Doesn't actually work. The output looks like this: /usr/bin/kinit stdout: Password for user@realm: Password expired. You must change it now. Enter new password: Enter it again: Password change rejected: The password must include numbers or symbols. Don't include any part of your name in the password. The password must contain at least 7 characters. The password must be different from the previous 24 passwords. The password can only be changed once a day.. Please try again. Enter new password: /usr/bin/kinit stderr: kinit: Cannot read password while getting initial credentials The code detects PASSWORD_EXPIRED before it detects PASSWORD_REJECTED.
,
Sep 19 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/39fafc8f992383edc2f0dab468211f6cad9bc3f3 commit 39fafc8f992383edc2f0dab468211f6cad9bc3f3 Author: Lutz Justen <ljusten@chromium.org> Date: Tue Sep 19 22:42:39 2017 authpolicy: Properly detect rejected passwords Didn't work, code still detected ERROR_PASSWORD_EXPIRED because the output looks like this: stdout: ... Password expired. You must change it now. ... Password change rejected: ... Enter new password: stderr: kinit: Cannot read password while getting initial credentials The unit test had the "Password expired. You must change it now." line missing, which triggered the wrong ERROR_PASSWORD_EXPIRED, so it succeeded. This CL fixes this logic and the test. BUG= chromium:752919 TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy Tested on device. Change-Id: I3d4451a322578d5686574d0c0583af51c3d4f0c6 Reviewed-on: https://chromium-review.googlesource.com/672945 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> [modify] https://crrev.com/39fafc8f992383edc2f0dab468211f6cad9bc3f3/authpolicy/stub_kinit_main.cc [modify] https://crrev.com/39fafc8f992383edc2f0dab468211f6cad9bc3f3/authpolicy/tgt_manager.cc
,
Sep 20 2017
,
Jan 22 2018
,
Jan 23 2018
,
Apr 6 2018
Verified fixed, Chrome detects when a password is rejected during the password change for an Active Directory user and displays a proper error message (see attached screenshot). Chrome OS: 10452.45.0 Chrome: 66.0.3359.84 Device: Robo360 |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by ljusten@chromium.org
, Aug 7 2017