kerberos password change in master-slave environment
Mike Friedman
mikef at ack.Berkeley.EDU
Wed Mar 24 18:53:03 EST 2004
On Wed Mar 24 15:02:03 2004, Ken Hornstein said:
>>Could you elaborate a bit? First of all, does 'error' include just
>>incorrect password (because the new, correct, one hasn't yet propagated)?
>
> Since you asked ... currently, the following list of error codes is ones
> that the KDC will _not_ retry on:
>
> KRB5_KDC_UNREACH
> KRB5_PREAUTH_FAILED
> KRB5_LIBOS_PWDINTR
> KRB5_REALM_CANT_RESOLVE
Unfortunately, PREAUTH_FAILED corresponds to the password being deemed
incorrect, since we have requires_preauth on all user principals. So, in
our case, if the user happens to hit the secondary server right after doing
a password change, no doubt this will cause an error message. But as I
said before, I think users just try again, on the assumption they made a
typo. They'll likely hit the primary server on the next try (or two!).
Mike
------------------------------------------------------------------------------
Mike Friedman System and Network Security
mikef at ack.Berkeley.EDU 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
------------------------------------------------------------------------------
More information about the Kerberos
mailing list