Tickets accepted upon login but still prompted for password

Donn Cave donn at drizzle.com
Sat Mar 16 01:08:20 EST 2002


Quoth ARechenberg at shermanfinancialgroup.com ("Rechenberg, Andrew"):
| Looking at the code, it looks like if I don't have a .k5login
| I should be allowed access, but the authorization is failing.
| Is this a correct assumption?

Not completely correct, or you wouldn't have a problem, but yes,
that's how it works for everyone else.  There are basically two
ways to decide authorization:

1.  You don't have a .k5login.  Rules are used to decide whether
    your prinicipal ought to be authorized for the present account.
    Those rules can be anything in theory, but in practice they're
    like "myname at OUR.REALM is authorized for account 'myname'".

2.  You do have a .k5login - use it instead.

That's why Mark Eichin speculated that your host doesn't know its
local realm.  Something's going wrong in (1), if you can make it
work by using your own principal in (2).  If I were in your shoes,
I would get the source and build it, and find out what it's doing
in lib/krb5/os/kuserok.c.  (Or find out that the source you build
works, where the stuff you're now using doesn't.)

	Donn Cave, donn at u.washington.edu



More information about the Kerberos mailing list