Skip Menu |
 

From: petesea@bigfoot.com
Date: Sat, 26 Aug 2006 10:49:10 -0700 (Pacific Daylight Time)
Subject: KfW 3.1 beta and expired passwords
To: kfw-bugs@mit.edu
Download (untitled) / with headers
text/plain 3.4KiB
I've been testing out KfW 3.1 beta and have found a few bugs related to
expired passwords. I actually found some of these bugs in KfW 3.0, but
never quite got around to reporting them. Hopefully they can be fixed
before 3.1 is released.

1. If the passwd has expired, the "Obtain new credentials" dialog
SOMETIMES (see bug #2) shows this:

Krb5 : The password for the selected Identity has expired.
Click here to change the password

Unfortunately the "here" link takes you to the "Kerberos 5" options
dialog... as if you'd pressed the "Kerberos 5" button at the bottom of the
"Obtain new credentials" dialog. Instead it should take you to the
"Change password" dialog. At least that's what makes sense to me.

------------------------------------------------------------------

2. As I said above, the "Click here to change the password" link is only
displayed SOMETIMES. I'm not sure under which conditions it's displayed,
but it SEEMS like maybe only if the principal's password is expired when
the registry entries for the principals are first created... in other
words only the first time after KfW is installed. If the password is
changed and then expired again, the "Click here to change the password"
link will no longer be displayed.

Just noticed something... the dialog that displays the "Click here..."
message is titled "Obtain new credentials" and does NOT have a password
field.

The dialog that does NOT display the "Click here..." message is titled
"[PRINCIPAL] - New credentials" and DOES have a password field.

If the passwd is expired when KfW is first installed, then you always get
the "Obtain new credentials" dialog no matter how it's started (ie.
triggered by some other app, via systray, via NIM Credential menu).

Upon further investigation, I've found that the following registry entry
determines which "New credentials" dialog is displayed.

HKCU\Software\MIT\NetIDMgr\KCDB\Identity\(PRINCIPAL)\Krb5Cred\PromptCache\0\Prompt

If this registry entry does NOT exist, then the "Obtain new credentials"
dialog (with "Change password link" and WITHOUT password field) is
displayed.

If this registry entry DOES exist, then the "(PRINCIPAL) - New
credentials" dialog (WITHOUT "Change password" link and WITH password
field) is displayed.

Again, what I would like to see is the "Change password" link regardless
of when or how an expired password is detected. Of course this assumes
the link itself goes to the correct "Change password" dialog (Bug #1).

------------------------------------------------------------------

3. After opening the Network Identity Manager if you go to
"Credential->Change password..." WITHOUT first selecting a credential
(even if there's only one) the "Change password..." menu item will be
grayed out. Since the "Change password" dialog contains fields for
"Username" and "Realm" why does an Identity need to be selected?

This may also be related to the "first time after KfW is installed" and/or
the "Prompt" registry entry.

------------------------------------------------------------------

4. While trying to change my password I got "Unknown error code" for
several attempts. Sometimes I got a Windows dialog that says
"netmgrid.exe" has generated errors and will be closed. After several
tries I finally realized kadmind wasn't running on the server. Shouldn't
KfW get a timeout? And couldn't it provide a better message such as
"Change password server is not responding"... or "Administrative server is
not responding".
Download (untitled) / with headers
text/plain 4.1KiB
It would be best if you could send one bug per message. That way they
can be closed separately. MIT does not currently have a Windows
developer to work on KFW. However, I will try to get the first three
items fixed before a final 3.1 release.

The fourth item really depends on what error is being returned by the
Kerberos 5 library. I suspect it actually is "Unknown error" in which
case the bug would need to be filed against Kerberos 5 and not KFW.

Jeffrey Altman

[petesea@bigfoot.com - Sat Aug 26 13:49:30 2006]:

Show quoted text
> I've been testing out KfW 3.1 beta and have found a few bugs related
> to
> expired passwords. I actually found some of these bugs in KfW 3.0,
> but
> never quite got around to reporting them. Hopefully they can be fixed
> before 3.1 is released.
>
> 1. If the passwd has expired, the "Obtain new credentials" dialog
> SOMETIMES (see bug #2) shows this:
>
> Krb5 : The password for the selected Identity has expired.
> Click here to change the password
>
> Unfortunately the "here" link takes you to the "Kerberos 5" options
> dialog... as if you'd pressed the "Kerberos 5" button at the bottom of
> the
> "Obtain new credentials" dialog. Instead it should take you to the
> "Change password" dialog. At least that's what makes sense to me.
>
> ------------------------------------------------------------------
>
> 2. As I said above, the "Click here to change the password" link is
> only
> displayed SOMETIMES. I'm not sure under which conditions it's
> displayed,
> but it SEEMS like maybe only if the principal's password is expired
> when
> the registry entries for the principals are first created... in other
> words only the first time after KfW is installed. If the password is
> changed and then expired again, the "Click here to change the
> password"
> link will no longer be displayed.
>
> Just noticed something... the dialog that displays the "Click here..."
> message is titled "Obtain new credentials" and does NOT have a
> password
> field.
>
> The dialog that does NOT display the "Click here..." message is titled
> "[PRINCIPAL] - New credentials" and DOES have a password field.
>
> If the passwd is expired when KfW is first installed, then you always
> get
> the "Obtain new credentials" dialog no matter how it's started (ie.
> triggered by some other app, via systray, via NIM Credential menu).
>
> Upon further investigation, I've found that the following registry
> entry
> determines which "New credentials" dialog is displayed.
>
>
HKCU\Software\MIT\NetIDMgr\KCDB\Identity\(PRINCIPAL)\Krb5Cred\PromptCache\0\Prompt
Show quoted text
>
> If this registry entry does NOT exist, then the "Obtain new
> credentials"
> dialog (with "Change password link" and WITHOUT password field) is
> displayed.
>
> If this registry entry DOES exist, then the "(PRINCIPAL) - New
> credentials" dialog (WITHOUT "Change password" link and WITH password
> field) is displayed.
>
> Again, what I would like to see is the "Change password" link
> regardless
> of when or how an expired password is detected. Of course this
> assumes
> the link itself goes to the correct "Change password" dialog (Bug #1).
>
> ------------------------------------------------------------------
>
> 3. After opening the Network Identity Manager if you go to
> "Credential->Change password..." WITHOUT first selecting a credential
> (even if there's only one) the "Change password..." menu item will be
> grayed out. Since the "Change password" dialog contains fields for
> "Username" and "Realm" why does an Identity need to be selected?
>
> This may also be related to the "first time after KfW is installed"
> and/or
> the "Prompt" registry entry.
>
> ------------------------------------------------------------------
>
> 4. While trying to change my password I got "Unknown error code"
> for
> several attempts. Sometimes I got a Windows dialog that says
> "netmgrid.exe" has generated errors and will be closed. After several
> tries I finally realized kadmind wasn't running on the server.
> Shouldn't
> KfW get a timeout? And couldn't it provide a better message such as
> "Change password server is not responding"... or "Administrative
> server is
> not responding".