[krbdev.mit.edu #6108] A client can fail to get initial creds if it changes the password while doing so.
nalin@redhat.com via RT
rt-comment at krbdev.mit.edu
Wed Apr 1 22:46:12 EDT 2009
On Wed, Apr 01, 2009 at 11:21:33PM +0000, Greg Hudson via RT wrote:
> In that variation, won't your proposed fix just fail to contact a master
> KDC again, as it did earlier in step 2?
Yeah, walking through it again, either I'm missing something now, or I
missed that use_master wasn't being reset when the password was changed
inside of krb5_get_init_creds_password().
The part about continuing on in the face of a preauth-failed error from
a slave KDC still reads right, though. For cases where libkrb5's been
told to not handle the password change internally, the caller gets a
key-expired error, changes the password by calling krb5_change_password()
directly, and subsequently can't get new creds.
Thanks,
Nalin
More information about the krb5-bugs
mailing list