kerberos password change in master-slave environment

Mike Friedman mikef at ack.Berkeley.EDU
Wed Mar 24 18:53:03 EST 2004


On Wed Mar 24 15:02:03 2004, Ken Hornstein said:

>>Could you elaborate a bit?  First of all, does 'error' include just
>>incorrect password (because the new, correct, one hasn't yet propagated)?
> 
> Since you asked ... currently, the following list of error codes is ones
> that the KDC will _not_ retry on:
> 
> KRB5_KDC_UNREACH
> KRB5_PREAUTH_FAILED
> KRB5_LIBOS_PWDINTR
> KRB5_REALM_CANT_RESOLVE

Unfortunately, PREAUTH_FAILED corresponds to the password being deemed
incorrect, since we have requires_preauth on all user principals.  So, in
our case, if the user happens to hit the secondary server right after doing
a password change, no doubt this will cause an error message.  But as I
said before, I think users just try again, on the assumption they made a
typo.  They'll likely hit the primary server on the next try (or two!).

Mike

------------------------------------------------------------------------------
Mike Friedman                             System and Network Security
mikef at ack.Berkeley.EDU                    2484 Shattuck Avenue
1-510-642-1410                            University of California at Berkeley
http://ack.Berkeley.EDU/~mikef            http://security.berkeley.edu
------------------------------------------------------------------------------


More information about the Kerberos mailing list