Skip to content

GitLab

Open
Created by Bugzilla@bugzilla-migration💬Reporter

Incorrect notification when account locked in AD

Submitted by Bojan Smojver

Link to original bug (#572246)

Description

Please describe the problem: I bumped into this one when my AD account got locked and krb5-auth-dialog was about to renew the credentials. Because the account was locked, the ticket was not renewed. However, krb5-auth-dialog still said "Your Kerberos credentials have been refreshed.". I think this may be related to the fact that remaining, as calculated in ka_update_status() function from creds_expiry will still be > 0 (because the old ticket is kept).

Maybe we should also pass the status of renewal to ka_update_status(), so that we don't incorrectly notify that ticket has been renewed.

Steps to reproduce:

  1. Configure krb5 authentication against AD.
  2. Lock your account (usually, 3 successive attempts to login with wrong pwd).
  3. Do this 1/2 hour before ticket expiry and see what krb5-auth-dialog does.

Actual results: User is notified that ticket has been refreshed.

Expected results: User should be told that refresh process did not end successfully.

Does this happen every time? Yes.

Other information: