Uploaded image for project: 'Percona Server for MySQL'
  1. Percona Server for MySQL
  2. PS-6023

Percona server exits after a Kerberos password change after the password has expired.

    Details

      Description

      If pam_krb5 is configured to allow user to change password and if it's expired, Percona Server will crash after receiving the new password:

      [user2@kerberos ~]$ mysql -u user2
      Password: 
      Password expired. You must change it now.
      New Kerberos 5 Password: 
      ERROR 2013 (HY000): Lost connection to MySQL server during query

      PAM configuration/etc/pam.d/mysqld) 

      auth required pam_krb5.so chpw_prompt
      account required pam_krb5.so chpw_prompt

      The environment to setup Kerberos and PS 57 is attached to this ticket. You can review the deployment from deploy_kerberos file. You will need to create a kerberos user when you've logged in. Instructions are provided below:

      Extract 268949.zip and cd to that directory. Start the instance by running "vagrant up". Once started, connect to the instance by running "vagrant ssh".  Then run these commands on the sandbox:

      1. Run kadmin.local and create a user called user2 and provide a password:
        [vagrant@kerberos ~]$ sudo kadmin.local
        Authenticating as principal root/admin@EXAMPLE.COM with password.
        kadmin.local: addprinc user2
        WARNING: no policy specified for user2@EXAMPLE.COM; defaulting to no policy
        Enter password for principal "user2@EXAMPLE.COM": 
        Re-enter password for principal "user2@EXAMPLE.COM": 
        Principal "user2@EXAMPLE.COM" created.
      1.  On the same session, expire the password and then quit:
        kadmin.local: modify_principal -pwexpire 1995-1-1 user2
        Principal "user2@EXAMPLE.COM" modified.
        kadmin.local: quit
      1. Sudo to user2. This has been previously created in deploy script.  Next,  login to mysql as user2. Provide the password you've entered on Step 1. When you are prompted to enter a new Kerberos password, MySQL will crash:
        [vagrant@kerberos ~]$ sudo su - user2
        [user2@kerberos ~]$ mysql -u user2
        Password: 
        Password expired. You must change it now.
        New Kerberos 5 Password: 
        ERROR 2013 (HY000): Lost connection to MySQL server during query

       If needed, core file will be generated in /tmp/corefiles directory.

      The workaround would be to disallow resetting the password from PAM which is passing the parameter chpw_prompt=false in /etc/pam.d/mysqld

      auth required pam_krb5.so chpw_prompt=false
      account required pam_krb5.so chpw_prompt=false

        Smart Checklist

          Attachments

          1. 268949.zip
            2 kB
          2. crash_bt.txt
            37 kB
          3. crash_log.txt
            4 kB

            Issue Links

              Activity

                People

                • Assignee:
                  sergei.glushchenko Sergei Glushchenko (Inactive)
                  Reporter:
                  jaime.sicam@percona.com Jaime Sicam
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: