problem with the kinit_prompter in kfw 2.5
Beata A. Pruski
bapruski at iastate.edu
Wed Feb 18 10:16:54 EST 2004
> >I have hard time to get the posix prompter to run under kfw 2.5. Here is the
> >scenario:
> >- kfw 2.5 on Windows 2000/XP (with all the service packs/hotfixes/patches)
> >- user with the expired password tries to initialized tickets v.5 via kinit:
> >
> > kinit -5
> >
> >The result of the above is
> > "Cannot find KDC for requested realm" (KRB5_REALM_UNKNOWN (-1765328230L).
> >Shouldn't it run knit_prompter instead (which eventually should call
> >krb5_prompter_posix) giving user an opportunity to change the password? At
> >least that is what used to happen in previous version (kfw 2.1.2 for sure). Am
> >I missing something here?
>
> If you have DNS SRV record lookups turned off (either because they
> are compiled out or if you have dns_fallback=no in your libdefaults),
> this is probably a known bug (RT #1721 "get_init_creds_password: DNS
> SRV off causes bogus REALM_UNKNOWN").
Thanks. It really turned out to be a DNS lookups problem.
I must say I don't understand why within krb5_get_init_creds_password, after
the first call to krb5_get_init_creds (with use_master being 0) returns
KRB5KDC_ERR_KEY_EXP, there is still another call made to the same function
with use_master set to 1. Shouldn't there be some sort of "goto" statement:
if (ret == KRB5KDC_ERR_KEY_EXP)
goto tryprompter;
[...]
tryprompter:
if ((ret == KRB5KDC_ERR_KEY_EXP) || (prompt == NULL))
goto cleanup;
[...]
which in turn would lead to the execution of the prompter (if such is given)?
> This bug should be fixed in
> the next version of KfW (the one based on krb5-1.3.2).
>
>
> You can download a beta of kfw-2.6 to make sure it's fixed:
> <http://web.mit.edu/kerberos/www/dist/testing.html#kfw-2.6>
>
>
> Hope this helps,
>
I used kfw-2.6 to run "kinit -5" using the account with the expired password.
The call returned "Password expired (...)" but there was no opportunity for
the user to change password - prompter was not executed.
Beata
> --
> --lxs
> -----------------------------------------------------------------------------
> Alexandra Ellwood <lxs at mit.edu>
> MIT Information Services & Technology http://mit.edu/lxs/www/
> -----------------------------------------------------------------------------
>
--
Beata A. Pruski, Systems Software & Microcomputer Network Services
Iowa State University, Academic Information Technologies, Ames, Iowa (USA)
268 Durham Center Ph: 515-294-5919
Ames, IA 50011-2251 E-mail: bapruski at iastate.edu
More information about the Kerberos
mailing list