[krbdev.mit.edu #2110] MIT KDC fails to handle unknown padata
Tom Yu via RT
rt-comment at krbdev.mit.edu
Wed Feb 11 16:47:38 EST 2004
>>>>> "DEEngert" == DEEngert at anl gov via RT <rt-comment at krbdev.mit.edu> writes:
DEEngert> to a 1.2.8 KDC, I can get it to fail if the user principal has
DEEngert> the REQUIRE_PRE_AUTH attribute. When it is not set the kinit works.
DEEngert> Have you tried this combination?
DEEngert> kinit output:
DEEngert> orleans.ctd.anl.gov% kinit -m b17783 at KRB5.ANL.GOV
DEEngert> kinit(v5): Preauthentication failed while getting initial credentials
DEEngert> KDC log:
DEEngert> Feb 11 15:18:48 chimera.ctd.anl.gov krb5kdc[324]: no valid preauth type found: Unknown code 0
DEEngert> Feb 11 15:18:48 chimera.ctd.anl.gov krb5kdc[324]: AS_REQ (4 etypes {1 3 16 23}) 146.137.180.252(88): PREAUTH_FAILED: b17783 at KRB5.ANL.GOV for krbtgt/KRB5.ANL.GOV at KRB5.ANL.GOV, Preauthentication failed
I think the code is functioning as I expect it to, in this case.
After all, you require preauth, and you didn't provide any preauth
that it understood. Or are you saying that it should ask for
additional preauth rather than returning "preauth failed"?
---Tom
More information about the krb5-bugs
mailing list