problem with the kinit_prompter in kfw 2.5

Beata A. Pruski bapruski at iastate.edu
Wed Feb 18 17:59:45 EST 2004 

I did some more search within the source code (kfw-2.5) and found out that 
there are two entries in the realms section of the configuration file which 
are used for locating kdc(s). They are called "kdc" and "master_kdc", 
respectively. I did not have the second one. Once I added "master_kdc" entry 
into krb5.ini, the prompter was executed.

The documentation I read (included with the source code) does not mention the 
"master_kdc" field. Where can I find the most current docs?

Thanks,
Beata

FYI, I tested the described above solution with kfw-2.6-beta6. The prompter is 
used for the expired password only if "master_kdc" is configured in the realms 
section.


> Beata A. Pruski wrote:
> > I must say I don't understand why within krb5_get_init_creds_password, after 
> > the first call to krb5_get_init_creds (with use_master being 0) returns 
> > KRB5KDC_ERR_KEY_EXP, there is still another call made to the same function 
> > with use_master set to 1. Shouldn't there be some sort of "goto" statement:
> > 
> > 	if (ret == KRB5KDC_ERR_KEY_EXP)
> > 		goto tryprompter;
> > 
> > [...]
> > 
> > tryprompter:
> > 	if ((ret == KRB5KDC_ERR_KEY_EXP) || (prompt == NULL))
> > 		goto cleanup;
> > [...]
> > 
> > which in turn would lead to the execution of the prompter (if such is given)?
> 
> Consider the situation in which the user has just changed their password
> but there are multiple secondary KDCs and the password change has not 
> yet been propagated from the primary KDC.  The secondary KDCs will think 
> the password is still expired when in fact it has been changed. 
> Therefore, if the password fails we must attempt to contact the Primary 
> KDC in order to ensure that current password is indeed contacted.
> 
> 
> > I used kfw-2.6 to run "kinit -5" using the account with the expired password. 
> > The call returned "Password expired (...)" but there was no opportunity for 
> > the user to change password - prompter was not executed.
> > 
> > Beata
> 
> Which Beta of 2.6 did you test?
> 

-- 
Beata A. Pruski,    Systems Software & Microcomputer Network Services
Iowa State University, Academic Information Technologies, Ames, Iowa (USA)
268 Durham Center		Ph: 515-294-5919
Ames, IA 50011-2251		E-mail: bapruski at iastate.edu

More information about the Kerberos mailing list