krb5 error code 68

Ken Raeburn raeburn at MIT.EDU
Sun Nov 23 18:10:02 EST 2003


noolyg at yahoo.com (Noolyg) writes:

> hi, 
>
> I'm using MIT's kerberos and trying to check if a user is in the
> kerberos DB.
> The way i'm doing this is:
> retval = krb5_get_init_creds_keytab(con, &creds, user_princ, 0, 0, 0,
> 0);
> if(retval == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN) {
>     // NOT_USER;
> }
> Is there a better way?
>
> Sometimes i get the "KRB5 error code 68" for no known reason, and if i
> try again after a while, i don't get it anymore.
> Why does that happen, what does this error code mean?

According to draft-ietf-krb-wg-kerberos-referrals-02 (expired), it's
an error returned when the client principal name specified is not the
correct canonical name/realm for the principal.  It's probably only
returned by a Microsoft AD server, currently.

That doesn't explain why waiting makes it work, though....

Ken


More information about the Kerberos mailing list