problem with the kinit_prompter in kfw 2.5

Beata A. Pruski bapruski at iastate.edu
Wed Feb 18 10:16:54 EST 2004


> >I have hard time to get the posix prompter to run under kfw 2.5. Here is the
> >scenario:
> >- kfw 2.5 on Windows 2000/XP (with all the service packs/hotfixes/patches)
> >- user with the expired password tries to initialized tickets v.5 via kinit:
> >
> >	kinit -5
> >
> >The result of the above is
> >  "Cannot find KDC for requested realm" (KRB5_REALM_UNKNOWN (-1765328230L).
> >Shouldn't it run knit_prompter instead (which eventually should call
> >krb5_prompter_posix) giving user an opportunity to change the password? At
> >least that is what used to happen in previous version (kfw 2.1.2 for sure). Am
> >I missing something here?
> 
> If you have DNS SRV record lookups turned off (either because they 
> are compiled out or if you have dns_fallback=no in your libdefaults), 
> this is probably a known bug (RT #1721 "get_init_creds_password: DNS 
> SRV off causes bogus REALM_UNKNOWN").  


Thanks. It really turned out to be a DNS lookups problem.

I must say I don't understand why within krb5_get_init_creds_password, after 
the first call to krb5_get_init_creds (with use_master being 0) returns 
KRB5KDC_ERR_KEY_EXP, there is still another call made to the same function 
with use_master set to 1. Shouldn't there be some sort of "goto" statement:

	if (ret == KRB5KDC_ERR_KEY_EXP)
		goto tryprompter;

[...]

tryprompter:
	if ((ret == KRB5KDC_ERR_KEY_EXP) || (prompt == NULL))
		goto cleanup;
[...]

which in turn would lead to the execution of the prompter (if such is given)?



> This bug should be fixed in 
> the next version of KfW (the one based on krb5-1.3.2).
> 
> 
> You can download a beta of kfw-2.6 to make sure it's fixed: 
> <http://web.mit.edu/kerberos/www/dist/testing.html#kfw-2.6>
> 
> 
> Hope this helps,
> 

I used kfw-2.6 to run "kinit -5" using the account with the expired password. 
The call returned "Password expired (...)" but there was no opportunity for 
the user to change password - prompter was not executed.

Beata

> -- 
> --lxs
> -----------------------------------------------------------------------------
> Alexandra Ellwood                                               <lxs at mit.edu>
> MIT Information Services & Technology                 http://mit.edu/lxs/www/
> -----------------------------------------------------------------------------
> 

-- 
Beata A. Pruski,    Systems Software & Microcomputer Network Services
Iowa State University, Academic Information Technologies, Ames, Iowa (USA)
268 Durham Center		Ph: 515-294-5919
Ames, IA 50011-2251		E-mail: bapruski at iastate.edu




More information about the Kerberos mailing list