problem with the kinit_prompter in kfw 2.5

Jeffrey Altman jaltman at columbia.edu
Wed Feb 18 11:16:43 EST 2004


Beata A. Pruski wrote:
> I must say I don't understand why within krb5_get_init_creds_password, after 
> the first call to krb5_get_init_creds (with use_master being 0) returns 
> KRB5KDC_ERR_KEY_EXP, there is still another call made to the same function 
> with use_master set to 1. Shouldn't there be some sort of "goto" statement:
> 
> 	if (ret == KRB5KDC_ERR_KEY_EXP)
> 		goto tryprompter;
> 
> [...]
> 
> tryprompter:
> 	if ((ret == KRB5KDC_ERR_KEY_EXP) || (prompt == NULL))
> 		goto cleanup;
> [...]
> 
> which in turn would lead to the execution of the prompter (if such is given)?

Consider the situation in which the user has just changed their password
but there are multiple secondary KDCs and the password change has not 
yet been propagated from the primary KDC.  The secondary KDCs will think 
the password is still expired when in fact it has been changed. 
Therefore, if the password fails we must attempt to contact the Primary 
KDC in order to ensure that current password is indeed contacted.


> I used kfw-2.6 to run "kinit -5" using the account with the expired password. 
> The call returned "Password expired (...)" but there was no opportunity for 
> the user to change password - prompter was not executed.
> 
> Beata

Which Beta of 2.6 did you test?



More information about the Kerberos mailing list