[krbdev.mit.edu #6108] A client can fail to get initial creds if it changes the password while doing so.
nalin@redhat.com via RT
rt-comment at krbdev.mit.edu
Wed Apr 1 17:16:17 EDT 2009
On Wed, Apr 01, 2009 at 07:33:27PM +0000, Greg Hudson via RT wrote:
> Your suggested solution would only take effect in a more unlikely
> scenario, where in step 2 the client is unable to contact the master KDC
> and thus resets use_master to 0, but is able to change the password.
The variation I've seen is that there isn't an explicitly called-out
master, but several kdcs and one or more kpasswd_servers, or more likely
an admin_server.
The client attempts to get creds from a KDC, and fails, noting that the
key is expired. It's not able to resolve a master KDC for the realm, so
it resets use_master to 0. It continues on to get password-changing
creds and changes the password (the password change routine looks for a
kpasswd server, and falls back to an admin server, so this works). The
client then attempts to get creds, and because it's still talking to the
original server, it fails.
> The other part of your bug report appears to be that preauth can fail
> when talking to a slave with an out-of-date key. I can see how that
> might be true but want to talk about it with other people first.
Sure, no problem.
Thanks,
Nalin
More information about the krb5-bugs
mailing list